Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading
Less critical

Linux Kernel Netfilter Weakness and Four Vulnerabilities

-

Release Date:  2006-03-22    Last Update:  2006-05-04    Views:  19,429

Secunia Advisory SA19330

Where:

Local system

Impact:

Unknown, Security Bypass, DoS

Solution Status:

Vendor Patch

Operating System:

CVE Reference(s):

Description


A weakness and four vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service), bypass certain security restrictions, or with unknown impacts.

1) An integer overflow error exists within the "do_replace()" function in Netfilter. This can be exploited to cause a buffer overflow and allows the overwrite of arbitrary amounts of kernel memory when data is copied from user space.

Successful exploitation requires that the user is granted CAP_NET_ADMIN rights e.g. on systems that uses certain virtualisation solutions such as OpenVZ.

2) Insufficient memory allocation in "drivers/usb/gadget/rndis.c" when handling NDIS response to OID_GEN_SUPPORTED_LIST may cause kernel memory corruption.

3) An error in the get_compat_timespec() and compat_sys_clock_settime() functions when handling sign extended arguments can be exploited to cause the system to stop responding via a "date -s" command.

The vulnerability affects only the SPARC platform.

4) An error exists within the handling of singlestep ptrace when a task get preempted out of "do_debug()" processing while it is running on the DEBUG_STACK stack. This can be exploited to crash the system by having multiple tasks doing ptrace singlesteps at around the same time.

Successful exploitation requires that preemption is enabled in the kernel.

The vulnerability affects only the x86_64 platform.

5) An error exists within the SELinux ptrace handling code when setting the tracer SID of a process that is being ptraced. This causes incorrect ptrace revalidation at execve time and can potentially be exploited to bypass certain security restrictions.

The vulnerability was reportedly introduced in version 2.6.6.


Solution:
Update to version 2.6.16.

Further details available to Secunia VIM customers

Provided and/or discovered by:
1) Solar Designer
2) Shaun Tancheff
3) Ludovic Courtes
4) John Blackwood
5) Stephen Smalley

Original Advisory:
http://marc.theaimsgroup.com/?l=linux-sparc&m=113861010514065&w=2
http://marc.theaimsgroup.com/?l=linux-kernel&m=113932292516359&w=2
http://marc.theaimsgroup.com/?l=selinux&m=114226465106131&w=2

Kernel.org:
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ee4bb818ae35f68d1f848eae0a7b150a38eb4168
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8763716bfe4d8a16bef28c9947cf9d799b1796a5
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=cddfc12e2513a4229bad0d05fde2d40a75c3e197
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a65d17c9d27a85782cfe1bbc36c747ffa1f81814

Deep Links:
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Linux Kernel Netfilter Weakness and Four Vulnerabilities

No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability