Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I would like to ask anyone who sees kernel vulnerabilities posted to add them to this thread. This way we can make sure they're published centrally. Please add a good, short title or CVE ID and the date it was published. If you post a summary keep it concise and please link to the original publication.
Please note this thread serves as a listing and not for *discussing* those vulnerabilities: please create a separate thread. Thanks.
FYI from win32sux to all: I am now unable to post vulnerabilities regarding the 2.4 branch, as well as prior 2.6 branches. In other words, I am only posting vulnerabilities which affect the latest stable 2.6 branch. Also, please keep in mind that I only announce new kernel releases when they include patches to known security vulnerabilities.
Advisory ID : FrSIRT/ADV-2006-0035
CVE ID : CVE-2005-3358
Rated as : Moderate Risk
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2006-01-04
Technical Description
Multiple vulnerabilities were identified in Linux Kernel, which could be exploited by malicious users to cause a denial of service and potentially obtain elevated privileges.
- The first issue is due to an error in "mm/mempolicy.c" when handling policy system calls, which could be exploited by local attackers to cause a denial of service via a "set_mempolicy" call with a 0 bitmask.
- The second flaw is due to a one-byte buffer overrun error in "kernel/sysctl.c" when processing an overly long user-supplied string, which could be exploited by local attackers to potentially execute arbitrary commands.
- The third vulnerability is due to an error in "net/ipv4/fib_frontend.c" when processing malformed "fib_lookup" netlink messages, which could cause illegal memory references.
- The fourth issue is due to a buffer overflow error in the CA-driver for TwinHan DST Frontend/Card [drivers/media/dvb/bt8xx/dst_ca.c], which could be exploited by malicious users to cause a denial of service or potentially execute arbitrary commands.
Advisory ID : FrSIRT/ADV-2006-0220
CVE ID : CVE-2006-0035 - CVE-2006-0036 - CVE-2006-0037
Rated as : Moderate Risk
CVSS Severity: 3.5 (Low), 3.3 (Low), 2.3 (Low)
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-01-16
Technical Description
Multiple vulnerabilities were identified in Linux Kernel, which could be exploited by remote or local attackers to cause a denial of service.
The first issue is due to an infinite loop in the "netlink_rcv_skb" [af_netlink.c] function when handling a specially crafted "nlmsg_len" value, which could be exploited by local attackers to cause a denial of service.
The second flaw is due to an error in the PPTP NAT helper that does not properly calculate the offset when handling an inbound "PPTP_IN_CALL_REQUEST" packet, which could be exploited by attackers to crash a vulnerable system.
The third vulnerability is due to an error in the PPTP NAT helper that does not properly calculate the offset based on the difference between two pointers to the header, which could be exploited by attackers to cause a kernel crash.
Advisory ID : FrSIRT/ADV-2006-0235
CVE ID : CVE-2006-0095
Rated as : Low Risk
CVSS Severity: 1.6 (Low)
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2006-01-17
Technical Description
A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to gain knowledge of sensitive information. This flaw is due to an error in the "dm-crypt" [drivers/md/dm-crypt.c] driver that fails to properly clear memory before freeing it, which could be exploited by malicious users to disclose sensitive about cryptographic keys.
2006-02-02 CVE-2006-0482 (compat_sys_clock_settime for SPARC)
Advisory ID : FrSIRT/ADV-2006-0418
CVE ID : CVE-2006-0482
Rated as : Low Risk
CVSS Severity: 1.6 (Low)
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2006-02-02
Technical Description
A vulnerability has been identified in Linux Kernel, which could be exploited by malicious users to cause a denial of service. This flaw is due to an error in the "compat_sys_clock_settime()" [arch/sparc64/kernel/sys32.S] function that provides invalid sign extended arguments to the "get_compat_timespec()" function call when processing a "date -s" command on SPARC architectures, which could be exploited by local attackers to panic the system, creating a denial of service condition.
Affected Products
Linux Kernel version 2.6.15.1 and prior
Solution
The FrSIRT is not aware of any official supplied patch for this issue.
Advisory ID : FrSIRT/ADV-2006-0464
CVE ID : CVE-2006-0454
Rated as : Moderate Risk
CVSS Severity: 2.3 (Low)
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-02-08
Technical Description
A vulnerability has been identified in Linux Kernel, which could be exploited by remote attackers to cause a denial of service. This flaw is due to an error in the "ip_options_echo()" [net/ipv4/icmp.c] function when constructing an ICMP response, which could be exploited by remote attackers to cause a denial of service by sending specially crafted ICMP packets containing record-route or timestamp IP options to a vulnerable system.
Description
Linux kernel is reported prone to an unspecified local denial of service vulnerability. It was reported that this issue arises when a local user triggers stack fault exceptions. A local attacker may exploit this issue to carry out a denial of service attack against a vulnerable computer by crashing the kernel.
Affected Products
Linux Kernel versions 2.4 to 2.6
Description:
Some vulnerabilities have been reported in the Linux kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
1) An error in the "nfs_get_user_pages()" function due to insufficient checks on the return value returned by the "get_user_pages()" function can be exploited to cause a local DoS by performing an O_DIRECT write to an NFS file where the user buffer starts with a valid mapped page, but also contains an unmapped page.
2) Missing checks for bad elf entry addresses can be exploited to cause an endless recursive fault on Intel systems, which results in a local DoS.
An error in the XFS "ftruncate()" function, which may expose stale data off disk to users, has also been reported.
Description:
A vulnerability has been reported in the Linux kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service).
The vulnerability is caused due to the "die_if_kernel()" function in "arch/ia64/kernel/unaligned.c" being erroneously marked with a "noreturn" attribute. This can potentially be exploited to cause a DoS on Itanium systems, when the kernel is compiled with certain version of the gcc compiler.
Description
Two vulnerabilities have been reported in the Linux Kernel, which has an unknown impact.
1) An integer overflow error exists within the "do_replace()" function in Netfilter. This can be exploited to cause a buffer overflow and allows the overwrite of arbitrary amounts of kernel memory when data is copied from user space.
2) Insufficient memory allocation in "drivers/usb/gadget/rndis.c" when handling NDIS response to OID_GEN_SUPPORTED_LIST may cause kernel memory corruption.
An integer overflow error exists within the "do_replace()" function in Netfilter. This can be exploited to cause a buffer overflow and allows the overwrite of arbitrary amounts of kernel memory when data is copied from user space.
As a member of the netfilter core team, I would like to ask you to
immediately stop spreading false information about an allegeldy remotely
exploitable vulnerability that simply doesn't exist.
I don't know how you come to the conclusion at http://www.securityfocus.com/bid/17178/discuss, that "This issue allows
remote attackers to overwrite kernel memory with arbitrary data,
potentially allowing them to execute malicious machine code in the
context of affected kernels."
The respective bug [called do_replace() bug] is in a code path that can
ONLY be executed by a local root user. In fact, it is a bug in the
codepath for ruleset changes.
So unless you have a locally malicious root user (which could change the
ruleset anyway, and very likely load arbitrary code via kernel modules
or patch /proc/kmem), there is nothing that can be exploited.
Neither for local non-root users, not for any remote party.
Please correct information in your vulnerability data base as soon as
possible! Your wrong assessment has already been picked up by some
other news sites, and users are starting to inquire the project about a
security threat that doesn't even exist.
Thanks in advance,
Harald
NOTE: This post is only meant as a follow-up, to further inform admins about this specific bug (so that no unnecessary freaking-out occurs). It should not be interpreted as a "discussion starter" in any way. To discuss this bug (or any others), please use a separate thread, as was indicated in the OP by unSpawn. Thanks.
Description:
Pavel Kankovsky has reported a weakness in the Linux kernel, which can be exploited by malicious, local users to disclose potentially sensitive information.
The weakness is caused due to the "sockaddr_in.sin_zero" array not being zeroed before being returned to user space programs calling certain socket functions to retrieve information about the specified socket. This can be exploited to disclose six uninitialised bytes of the kernel stack via calls to the "getsockopt()" function with the "SO_ORIGINAL_DST" option, or via calls to the "getsockname()", "getpeername()", and "accept()" functions.
The weakness has been reported in the 2.4 and 2.6 kernel branches.
NOTE: The weakness in the "getsockname()", "getpeername()", and "accept()" functions affect only the 2.4 kernel.
Solution:
The weakness have been fixed in the 2.4 kernel branch in the CVS repositories.
Secunia is currently not aware of any official patches for the 2.6 kernel.
Description:
Marco Ivaldi has reported a weakness in the Linux kernel, which can be exploited by malicious people to disclose certain system information and potentially to bypass certain security restrictions.
The weakness is caused due to an error within the "ip_push_pending_frames()" function when creating a packet in reply to a received SYN/ACK packet. This causes RST packets to be sent with a IP ID value that is incremented per packet. This can potentially be exploited to conduct idle scan attacks.
The weakness has been reported in the 2.4 and 2.6 kernel branches.
Description:
A vulnerability has been reported in Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
The vulnerability is caused due to an out-of-bounds memory error in the "fill_write_buffer()" function in sysfs/file.c when writing exactly PAGE_SIZE amount of data with no zeroes in it to a sysfs file.
Solution:
The vulnerability has been fixed in version 2.6.17-rc1.
UPDATE: Stable kernel 2.6.16.2 has just been released. It includes the patch for CVE-2006-1055, among other things. As usual, you can get your copy at: http://www.kernel.org/
Less than 12 hours after 2.6.16.3 was released, the -stable team patched the code with a one-liner, releasing 2.6.16.4. A Secunia advisory isn't out yet, but the commit in git states the patch addresses an issue with RCU signal handling, which is CVE-2006-1523.
UPDATE #2: 2.6.16.5 has been released.
One day after 2.6.16.4 was released, the -stable team patched the code once again, releasing 2.6.16.5. A Secunia advisory isn't out yet, but git shows that one patch addresses an issue with uncanonical return addresses on x86_64, which is CVE-2006-0744 .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.