LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-18-2009, 07:11 PM   #166
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel "nfs_permission()" EXEC Security Bypass Vulnerability


Quote:
Technical Description
A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to bypass security restrictions. This issue is caused by an error in the "nfs_permission()" [fs/nfs/dir.c] function that does not check execute (i.e. EXEC or MAY_EXEC) permission bits when "atomic_open" is available, which could allow malicious users to bypass permissions and execute files.

Affected Products
Linux kernel versions 2.6.x

Solution
VUPEN Security is not aware of any vendor-supplied patch.
VUPEN Advisory
 
Old 06-03-2009, 03:12 AM   #167
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel e1000 Driver Denial of Service Vulnerability

Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the "e1000_clean_rx_irq()" function in drivers/net/e1000/e1000_main.c. This can be exploited to cause a kernel panic via specially crafted network packets sent to an affected system.

Solution:
Fixed in the GIT repository.
http://git.kernel.org/linus/ea30e119...332554573b4a10
Secunia Advisory
 
Old 06-11-2009, 06:57 PM   #168
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel RTL8169 NIC Remote Denial of Service Vulnerability

Quote:
The Linux Kernel is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to crash the system, denying service to legitimate users.
Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.

Versions prior to Linux Kernel 2.6.30 are vulnerable.
Bugtraq ID: 35281
 
Old 07-07-2009, 12:40 PM   #169
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel "kvm_arch_vcpu_ioctl_set_sregs()" Denial of Service Issue

Quote:
Technical Description
A vulnerability has been identified in KVM, which could be exploited by local attackers to cause a denial of service. This issue is caused by an error in the "kvm_arch_vcpu_ioctl_set_sregs()" function that does not validate the page table root in a "KVM_SET_SREGS" call, which could allow malicious users to trigger a NULL pointer dereference and panic a vulnerable system, creating a denial of service condition.

Affected Products
Linux Kernel versions prior to 2.6.30.1

Solution
Upgrade to Linux Kernel version 2.6.30.1
VUPEN Advisory | CVE-2009-2287
 
Old 07-14-2009, 02:21 AM   #170
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel "PER_CLEAR_ON_SETID" Security Bypass Vulnerability

Quote:
Technical Description
A vulnerability has been identified in Linux Kernel, which could be exploited by malicious users to bypass security restrictions. This issue is caused due to the "PER_CLEAR_ON_SETID" mask not including "ADDR_COMPAT_LAYOUT" and "MMAP_PAGE_ZERO", which could allow local attackers to bypass the "mmap_min_addr" restrictions and ASLR restrictions.

Affected Products
Linux Kernel 2.6.x

Solution
Apply patch :
http://git.kernel.org/?p=linux/kerne...03ac7cfa9427b6
VUPEN Advisory
 
Old 07-17-2009, 07:46 PM   #171
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel "tun_chr_pool()" NULL Pointer Dereference Vulnerability

Quote:
Technical Description
A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to cause a denial of service or gain elevated privileges. This issue is caused by a NULL pointer dereference error in the "tun_chr_poll()" [drivers/net/tun.c] function when opening and polling devices, which could allow a malicious user to corrupt memory leading to a kernel panic or arbitrary code execution with root privileges.

Affected Products
Linux Kernel version 2.6.30

Solution
A fix is available via GIT :
http://git.kernel.org/?p=linux/kerne...e04d9c8357ca13
VUPEN Advisory | CVE-2009-1897
 
Old 07-18-2009, 09:27 AM   #172
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
New Linux Flaw Enables Null Pointer Exploits

Please go here for complete information and discussion.
 
Old 07-20-2009, 11:30 AM   #173
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Lunux 2.6.30.2 has been released.

It includes fixes for at least two security vulnerabilities.

The changelog is available here.
Quote:
personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)

commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 upstream.

We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.

The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.

We believe it is important to add MMAP_PAGE_ZERO, because by using this
personality it is possible to have the first page mapped inside a
process running as setuid root. This could be used in those scenarios:

- Exploiting a NULL pointer dereference issue in a setuid root binary
- Bypassing the mmap_min_addr restrictions of the Linux kernel: by
running a setuid binary that would drop privileges before giving us
control back (for instance by loading a user-supplied library), we
could get the first page mapped in a process we control. By further
using mremap and mprotect on this mapping, we can then completely
bypass the mmap_min_addr restrictions.

Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
since on x86 32bits it will in practice disable most of the address
space layout randomization (only the stack will remain randomized).
CVE-2009-1895

Quote:
tun/tap: Fix crashes if open() /dev/net/tun and then poll() it. (CVE-2009-1897)

commit 3c8a9c63d5fd738c261bd0ceece04d9c8357ca13 upstream.

Fix NULL pointer dereference in tun_chr_pool() introduced by commit
33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued
packets per device") and triggered by this code:

int fd;
struct pollfd pfd;
fd = open("/dev/net/tun", O_RDWR);
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);
CVE-2009-1897
 
Old 07-30-2009, 02:39 AM   #174
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel eCryptfs Two Vulnerabilities

Quote:
Two vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious people to potentially compromise a user's system.

1) A boundary error in the processing of tag 11 packets can be exploited to cause a stack-based buffer overflow via an eCryptfs file containing a specially crafted metadata section.

2) A boundary error in the "parse_tag_3_packet()" eCryptfs function can be exploited to cause a heap-based buffer overflow via a tag 3 packet containing an overly large encrypted key size.

Successful exploitation may allow execution of arbitrary code, but requires that a user is tricked into processing a specially crafted eCryptfs file.

The vulnerabilities are reported in version 2.6.30.3. Other versions may also be affected.
Secunia Advisory
 
Old 08-04-2009, 07:45 AM   #175
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel "sigaltstack()" Information Disclosure

Quote:
A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information.

The security issue is caused due to an error in the implementation of the "sigaltstack()" function and can be exploited to disclose a limited amount of kernel stack memory.

Successful exploitation may require that the kernel is running on a 64-bit platform.
Secunia Advisory
 
Old 08-04-2009, 07:46 AM   #176
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel "clear_child_tid" Memory Corruption

Quote:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to the kernel improperly using the "current->clear_child_tid" pointer from a parent process when writing to memory in a child process. This can be exploited to corrupt memory in a child process created with "fork()".
Secunia Advisory
 
Old 08-08-2009, 08:46 PM   #177
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel "clock_nanosleep()" Local Denial of Service Vulnerability

Quote:
A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to cause a denial of service. This issue is caused by a NULL pointer dereference error in the "clock_nanosleep()" function when calling "do_nanosleep()" with a clock id set to "CLOCK_MONOTONIC_RAW", which could allow malicious users to panic a vulnerable system, creating a denial of service condition.
VUPEN Advisory
 
Old 08-11-2009, 12:11 PM   #178
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel "mm_for_maps()" Information Disclosure

Quote:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information.

The vulnerability is caused due to an error within the "mm_for_maps()" function in fs/proc/base.c. This can be exploited to disclose the content of the "maps" and "smaps" files from the "/proc" filesystem for a setuid process which is starting.
Secunia Advisory
 
Old 08-13-2009, 05:29 PM   #179
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel 'sock_sendpage()' NULL Pointer Dereference Vulnerability

Quote:
The Linux kernel is prone to a local NULL-pointer dereference vulnerability.

A local attacker can exploit this issue to execute arbitrary code with superuser privileges or crash an affected kernel, denying service to legitimate users.
Bugtraq | CVE-2009-2692

The fix for this is here, and a dedicated LQ thread for discussion has been set up here.

Please note that this affects all 2.4 and 2.6 kernels since 2001 (all architectures).

Last edited by win32sux; 08-13-2009 at 05:32 PM.
 
Old 08-16-2009, 06:48 PM   #180
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.30.5 has been released.

It includes the aforementioned fix for CVE-2009-2692, and addresses at least one other vulnerability.

This other vulnerability is described by Secunia as:
Quote:
A NULL pointer dereference exists within the "cmp_ies()" function in net/wireless/scan.c. This can be exploited to crash a vulnerable system by tricking it into scanning and processing specially crafted SSID IEs.
The relevant changelog entry for it reads:
Code:
    cfg80211: add two missing NULL pointer checks
    
    commit cd3468bad96c00b5a512f551674f36776129520e upstream.
    
    These pointers can be NULL, the is_mesh() case isn't
    ever hit in the current kernel, but cmp_ies() can be
    hit under certain conditions.

Last edited by win32sux; 08-17-2009 at 10:54 PM. Reason: Added mention of cmp_ies() vulnerability.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Kernel 2.4 in Zipslack (Waring: unable to open an initial console | Kernel Panic...) kurtamos Linux - General 2 05-10-2006 12:58 PM
Kernel-Patch Debian Logo 2.6.2 not correctly working for custom kernel 2.6.11 smp deepclutch Debian 3 06-27-2005 03:59 AM
kernel panic: try passing init= option to kernel...installation with Red Hat 9 kergen Linux - Hardware 1 09-30-2004 03:28 AM
are there any vulns for kernel 2.6.5? trax Linux - Security 2 04-24-2004 04:10 PM
snort rules to vulns not yet published zuessh Linux - Security 1 02-12-2004 02:17 PM


All times are GMT -5. The time now is 07:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration