Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Linux Kernel "nfs_permission()" EXEC Security Bypass Vulnerability
Quote:
Technical Description
A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to bypass security restrictions. This issue is caused by an error in the "nfs_permission()" [fs/nfs/dir.c] function that does not check execute (i.e. EXEC or MAY_EXEC) permission bits when "atomic_open" is available, which could allow malicious users to bypass permissions and execute files.
Affected Products
Linux kernel versions 2.6.x
Solution
VUPEN Security is not aware of any vendor-supplied patch.
Linux Kernel e1000 Driver Denial of Service Vulnerability
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error in the "e1000_clean_rx_irq()" function in drivers/net/e1000/e1000_main.c. This can be exploited to cause a kernel panic via specially crafted network packets sent to an affected system.
Linux Kernel RTL8169 NIC Remote Denial of Service Vulnerability
Quote:
The Linux Kernel is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to crash the system, denying service to legitimate users.
Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.
Versions prior to Linux Kernel 2.6.30 are vulnerable.
Linux Kernel "kvm_arch_vcpu_ioctl_set_sregs()" Denial of Service Issue
Quote:
Technical Description
A vulnerability has been identified in KVM, which could be exploited by local attackers to cause a denial of service. This issue is caused by an error in the "kvm_arch_vcpu_ioctl_set_sregs()" function that does not validate the page table root in a "KVM_SET_SREGS" call, which could allow malicious users to trigger a NULL pointer dereference and panic a vulnerable system, creating a denial of service condition.
Affected Products
Linux Kernel versions prior to 2.6.30.1
Linux Kernel "PER_CLEAR_ON_SETID" Security Bypass Vulnerability
Quote:
Technical Description
A vulnerability has been identified in Linux Kernel, which could be exploited by malicious users to bypass security restrictions. This issue is caused due to the "PER_CLEAR_ON_SETID" mask not including "ADDR_COMPAT_LAYOUT" and "MMAP_PAGE_ZERO", which could allow local attackers to bypass the "mmap_min_addr" restrictions and ASLR restrictions.
Linux Kernel "tun_chr_pool()" NULL Pointer Dereference Vulnerability
Quote:
Technical Description
A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to cause a denial of service or gain elevated privileges. This issue is caused by a NULL pointer dereference error in the "tun_chr_poll()" [drivers/net/tun.c] function when opening and polling devices, which could allow a malicious user to corrupt memory leading to a kernel panic or arbitrary code execution with root privileges.
We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
We believe it is important to add MMAP_PAGE_ZERO, because by using this
personality it is possible to have the first page mapped inside a
process running as setuid root. This could be used in those scenarios:
- Exploiting a NULL pointer dereference issue in a setuid root binary
- Bypassing the mmap_min_addr restrictions of the Linux kernel: by
running a setuid binary that would drop privileges before giving us
control back (for instance by loading a user-supplied library), we
could get the first page mapped in a process we control. By further
using mremap and mprotect on this mapping, we can then completely
bypass the mmap_min_addr restrictions.
Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
since on x86 32bits it will in practice disable most of the address
space layout randomization (only the stack will remain randomized).
Fix NULL pointer dereference in tun_chr_pool() introduced by commit
33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued
packets per device") and triggered by this code:
Two vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious people to potentially compromise a user's system.
1) A boundary error in the processing of tag 11 packets can be exploited to cause a stack-based buffer overflow via an eCryptfs file containing a specially crafted metadata section.
2) A boundary error in the "parse_tag_3_packet()" eCryptfs function can be exploited to cause a heap-based buffer overflow via a tag 3 packet containing an overly large encrypted key size.
Successful exploitation may allow execution of arbitrary code, but requires that a user is tricked into processing a specially crafted eCryptfs file.
The vulnerabilities are reported in version 2.6.30.3. Other versions may also be affected.
Linux Kernel "sigaltstack()" Information Disclosure
Quote:
A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information.
The security issue is caused due to an error in the implementation of the "sigaltstack()" function and can be exploited to disclose a limited amount of kernel stack memory.
Successful exploitation may require that the kernel is running on a 64-bit platform.
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
The vulnerability is caused due to the kernel improperly using the "current->clear_child_tid" pointer from a parent process when writing to memory in a child process. This can be exploited to corrupt memory in a child process created with "fork()".
Linux Kernel "clock_nanosleep()" Local Denial of Service Vulnerability
Quote:
A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to cause a denial of service. This issue is caused by a NULL pointer dereference error in the "clock_nanosleep()" function when calling "do_nanosleep()" with a clock id set to "CLOCK_MONOTONIC_RAW", which could allow malicious users to panic a vulnerable system, creating a denial of service condition.
Linux Kernel "mm_for_maps()" Information Disclosure
Quote:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information.
The vulnerability is caused due to an error within the "mm_for_maps()" function in fs/proc/base.c. This can be exploited to disclose the content of the "maps" and "smaps" files from the "/proc" filesystem for a setuid process which is starting.
Linux Kernel 'sock_sendpage()' NULL Pointer Dereference Vulnerability
Quote:
The Linux kernel is prone to a local NULL-pointer dereference vulnerability.
A local attacker can exploit this issue to execute arbitrary code with superuser privileges or crash an affected kernel, denying service to legitimate users.
A NULL pointer dereference exists within the "cmp_ies()" function in net/wireless/scan.c. This can be exploited to crash a vulnerable system by tricking it into scanning and processing specially crafted SSID IEs.
cfg80211: add two missing NULL pointer checks
commit cd3468bad96c00b5a512f551674f36776129520e upstream.
These pointers can be NULL, the is_mesh() case isn't
ever hit in the current kernel, but cmp_ies() can be
hit under certain conditions.
Last edited by win32sux; 08-17-2009 at 10:54 PM.
Reason: Added mention of cmp_ies() vulnerability.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.