Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Linux Kernel USBLCD Driver Out of Memory Denial of Service (Not Critical)
Quote:
Description:
A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
The USBLCD driver does not limit the memory consumption during writes to the device. This can be exploited to cause an out-of-memory condition by writing a large amount of data to an affected device.
Successful exploitation requires write access to a device using the driver.
Solution:
The vulnerability is fixed in version 2.6.22-rc7.
Linux Kernel "decode_choices()" Denial of Service (Moderately Critical)
Quote:
Description:
Zhongling Wen has reported a vulnerability in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error within the "decode_choice()" function in net/netfilter/bf_conntrack_h323_asn1.c when handling choices that are still encoded in the fixed-size bitfield. This can be exploited to cause an access to undefined types, resulting in a crash.
Solution:
Update to version 2.6.21.6, 2.6.20.15, or 2.6.22.
Linux Kernel Multiple Denial of Service Vulnerabilities (Moderately Critical)
The above advisory has been updated by Secunia.
Quote:
Description:
Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users and malicious people to cause a DoS (Denial of Service).
1) A vulnerability is caused due to an error within the "decode_choice()" function in net/netfilter/bf_conntrack_h323_asn1.c when handling choices that are still encoded in the fixed-size bitfield. This can be exploited to cause access to undefined types, resulting in a crash.
2) A vulnerability is caused due to the Kernel clearing the MSR bits after copying the state into the thread_struct. This can be exploited to cause corruption of the floating point state after returning from signal handlers, resulting in a DoS.
Successful exploitation requires a PowerPC based architecture.
Solution:
Vulnerability #1: Update to version 2.6.21.6, 2.6.20.15, or 2.6.22.
Vulnerability #2: Update to version 2.6.22.
When creating a new connection by sending an unknown chunk type, we
don't transition to a valid state, causing a NULL pointer dereference in
sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].
Fix by don't creating new conntrack entry if initial state is invalid.
Linux Kernel AACRAID Driver IOCTL Security Bypass (Less Critical)
Quote:
Description:
A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions.
The security issue is caused due to the AACRAID driver not correctly checking the privileges for IOCTLs. This can be exploited to perform potentially dangerous operations by sending certain IOCTLs to the driver.
The security issue is reported in versions prior to 2.6.23-rc2. Other versions may also be affected.
This 965G and above chipsets moved the batch buffer non-secure bits to
another place. This means that previous drm's allowed in-secure batchbuffers
to be submitted to the hardware from non-privileged users who are logged
into X and and have access to direct rendering.
Linux Kernel CIFS Signing Options Weakness (Not Critical)
Quote:
Description:
A weakness has been reported in the Linux Kernel, which potentially can be exploited by malicious people to bypass certain security restrictions.
The weakness is caused due to the Linux Kernel not correctly enforcing the defined signing options when mounting a CIFS file system. This may weaken the security and can be leveraged to perform further attacks.
Solution:
The weakness is fixed in version 2.6.23-rc1.
It includes several bugfixes, one of which addresses a security vulnerability.
Quote:
random: fix bound check ordering (CVE-2007-3105)
If root raised the default wakeup threshold over the size of the
output pool, the pool transfer function could overflow the stack with
RNG bytes, causing a DoS or potential privilege escalation.
It solely consists of a patch for a security vulnerability:
Quote:
Reset current->pdeath_signal on SUID binary execution (CVE-2007-3848)
This fixes a vulnerability in the "parent process death signal"
implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd.
and iSEC Security Research.
Linux Kernel ptrace Single Step "CS" Null Pointer Dereference (Not Critical)
Quote:
Description:
Evan Teran has reported a security issue in the Linux kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service).
The vulnerability is caused due to an error in ptrace when single-stepping a debugged child process with invalid values in the "CS" register, which can be exploited to cause a kernel oops.
Linux Kernel "ieee80211_rx()" Denial of Service Vulnerability (Less Critical)
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an off-by-two error within the function "ieee80211_rx()" in net/ieee80211/ieee80211_rx.c. This can be exploited to cause a kernel panic by sending a specially crafted ieee80211 frame with the IEEE80211_STYPE_QOS_DATA flag set to an affected system.
The vulnerability is reported in versions prior to 2.6.23.
Linux Kernel CIFS "SendReceive()" Buffer Overflow (Less Critical)
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.
The vulnerability is caused due to the "SendReceive()" function in fs/cifs/transport.c assuming wrong buffer sizes. This can be exploited to cause a buffer overflow by sending specially crafted responses to a vulnerable system.
Successful exploitation may require that a malicious server is used to mount a CIFS share.
The vulnerability is reported in version 2.6.23. Other versions may also be affected.
It consists of fixes for two security vulnerabilities:
Quote:
wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)
patch a3474224e6a01924be40a8255636ea5522c1023a in mainline
The original meaning of the old test (p->state > TASK_STOPPED) was
"not dead", since it was before TASK_TRACED existed and before the
state/exit_state split. It was a wrong correction in commit
14bf01bb0599c89fc7f426d20353b76e12555308 to make this test for
TASK_TRACED instead. It should have been changed when TASK_TRACED
was introducted and again when exit_state was introduced.
Quote:
TCP: Make sure write_queue_from does not begin with NULL ptr (CVE-2007-5501)
patch 96a2d41a3e495734b63bff4e5dd0112741b93b38 in mainline.
NULL ptr can be returned from tcp_write_queue_head to cached_skb
and then assigned to skb if packets_out was zero. Without this,
system is vulnerable to a carefully crafted ACKs which obviously
is remotely triggerable.
Besides, there's very little that needs to be done in sacktag
if there weren't any packets outstanding, just skipping the rest
doesn't hurt.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.