Kernel Vulns

win32sux · 08-31-2006, 04:14 PM

Linux 2.4.33.3 has been released.

It includes a patch for CVE-2006-4145 (UDF deadlock and memory corruption).

The full ChangeLog is here.

win32sux · 09-11-2006, 06:06 PM

Quote:

Description:
Ang Way Chuang has reported a vulnerability in Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the ULE (Unidirectional Lightweight Encapsulation) decapsulation code when processing ULE packets. This can be exploited to crash the system by sending a malicious ULE packet with an SNDU (Sub Network Data Unit) size of 0.

The vulnerability has been reported in version 2.6.17.11. Other versions may also be affected.

Solution:
Secunia is currently not aware of an official version fixing the vulnerability.

Secunia Advisory | CVE-2006-4623

win32sux · 09-15-2006, 02:06 AM

It consists of many bugfixes, three of which address security vulnerabilities.

Quote:

Security fixes since 2.6.16.28:
- CVE-2006-3468: fix NFS over ext3 DoS
- fix NFS over ext2 DoS
- ipv6: fix oops triggerable by any user

ChangeLog | Patch | Tarball

win32sux · 09-19-2006, 01:08 PM

Quote:

Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the handling of SCTP sockets. This can be exploited to crash the Kernel by opening a SCTP socket with a special SO_LINGER value.

Solution:
Restrict access to trusted users only.

Secunia Advisory | CVE-2006-4535

NOTE: This affects both 2.4 and 2.6 kernels.

win32sux · 10-07-2006, 12:48 AM

Quote:

Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information.

The vulnerability is caused due to the "copy_from_user" function not correctly clearing kernel buffers after receiving a fault because of invalid user space addresses. This can be exploited to read uninitialised kernel memory by appending to files from invalid addresses.

Note: The vulnerability affects the s390 architecture only.

Solution:
The vulnerability has been fixed in version 2.6.19-rc1.

Secunia Advisory | CVE-2006-5174

win32sux · 10-07-2006, 12:51 AM

Quote:

Description:
Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users and malicious people to cause a DoS (Denial of Service).

1) The "sys_perfmon()" function on Itanium (IA64) systems does not correctly handle file descriptor reference counts, which can be exploited to cause a DoS by consuming all available file descriptors.

2) The "clip_mkip()" function in net/atm/clip.c may dereference a previously freed pointer when processing received data, which can be exploited to cause a kernel panic.

Solution:
Update to version 2.6.18.

Secunia Advisory | CVE-2006-3741 | CVE-2006-4997

win32sux · 10-11-2006, 07:21 AM

Quote:

Description:
A vulnerability has been reported in Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the "clip_mkip()" function in the ATM (Asynchronous Transfer Mode) subsystem and can be exploited to cause a kernel panic.

Successful exploitation requires installed ATM hardware and configured ATM support.

Solution:
The vulnerability has been fixed in version 2.4.34-pre4.

Secunia Advisory | CVE-2006-4997

win32sux · 10-13-2006, 08:21 PM

It's a maintenance release, but it addresses a security vulnerability:

Quote:

dvb-core: Proper handling ULE SNDU length of 0

ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
code has a bug that allows an attacker to send a malformed ULE packet
with SNDU length of 0 and bring down the receiving machine. This patch
fix the bug and has been tested on version 2.6.17.11. This bug is 100%
reproducible and the modified source code (GPL) used to produce this bug
will be posted on http://nrg.cs.usm.my/downloads.htm shortly. The
kernel will produce a dump during CRC32 checking on faulty ULE packet.

ChangeLog | CVE-2006-4623

win32sux · 10-14-2006, 01:46 AM

It includes a patch for an s390 architecture vulnerability:

Quote:

[S390] user readable uninitialised kernel memory.

A user space program can read uninitialised kernel memory
by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.

ChangeLog | CVE-2006-5174

win32sux · 11-01-2006, 08:43 AM

Quote:

Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the handling of seqfiles for "/proc/net/ip6_flowlabel", which can be exploited to cause kernel lockups and crashes via specially crafted flow labels.

Solution:
Fixed in the GIT repository.

Secunia Advisory | CVE-2006-5619

win32sux · 11-03-2006, 09:41 PM

It includes many bugfixes, one of which addresses the ip6_flowlabel vulnerabilty above:

Quote:

IPV6: fix lockup via /proc/net/ip6_flowlabel [CVE-2006-5619]

ChangeLog

win32sux · 11-03-2006, 09:53 PM

It includes many bugfixes, three of which address security vulnerabilities:

Quote:

[IA64] correct file descriptor reference counting in perfmon (CVE-2006-3741)

[ATM] CLIP: Do not refer freed skbuff in clip_mkip() (CVE-2006-4997)

dvb-core: Proper handling ULE SNDU length of 0 (CVE-2006-4623)

ChangeLog

win32sux · 11-06-2006, 11:06 AM

Quote:

Description:
LMH has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to race conditions within the implementation of the ISO9660 file system. This can be exploited to cause an infinite loop in the "isofs_get_blocks()" function by mounting a specially crafted ISO9660 image and performing a read operation on the mounted file system.

Solution:
Allow only trusted users to mount ISO9660 images.

Secunia Advisory

win32sux · 11-07-2006, 12:37 PM

Quote:

Description:
Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerabilities are caused due to the incorrect processing of certain fragmented IPv6 packets. This can be exploited to bypass filtering rules by sending specially crafted packets.

Solution:
Fixed in the GIT repository.

Secunia Advisory

win32sux · 11-19-2006, 04:49 AM

I missed the last two releases for the 2.6.16.y branch. =/

2.6.16.31 was released the 7th, while 2.6.16.32 was released the 15th.

Both releases addressed security vulnerabilities.

For 2.6.16.31:

Quote:

[NETFILTER]: Fix ip6_tables extension header bypass bug (CVE-2006-4572)

As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on extension header
matches.

When extension headers occur in the non-first fragment after the fragment
header (possibly with an incorrect nexthdr value in the fragment header)
a rule looking for this extension header will never match.

Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.
Since all extension headers are before the protocol header this makes sure
an extension header is either not present or in the first fragment, where
we can properly parse it.

Quote:

[NETFILTER]: Fix ip6_tables protocol bypass bug (CVE-2006-4572)

As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on protocol matches.

When the protocol header doesn't follow the fragment header immediately,
the fragment header contains the protocol number of the next extension
header. When the extension header and the protocol header are sent in
a second fragment a rule like "ip6tables .. -p udp -j DROP" will never
match.

Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.

Quote:

[IPV6]: fix lockup via /proc/net/ip6_flowlabel (CVE-2006-5619)

There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where,
after finding a flowlabel, the code will loop forever not finding any
further flowlabels, first traversing the rest of the hash bucket then just
looping.

This patch fixes the problem by breaking after the hash bucket has been
traversed.

Note that this bug can cause lockups and oopses, and is trivially invoked
by an unpriveleged user.

Quote:

[S390] fix user readable uninitialised kernel memory (CVE-2006-5174)

A user space program can read uninitialised kernel memory
by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.

ChangeLog | CVE-2006-4572 | CVE-2006-5619 | CVE-2006-5174

For 2.6.16.32:

Quote:

ia64/sparc: fix local DoS with corrupted ELFs (CVE-2006-4538)

This patch prevents cross-region mappings
on IA64 and SPARC which could lead to system crash.

ChangeLog | CVE-2006-4538