[Full-Disclosure] [ GLSA 200407-16 ] Linux Kernel: Multiple DoS and permission vulnerabilities

From: Tim Yamin (plasmaroo_at_gentoo.org)
Date: 07/22/04

  • Next message: Brian Toovey: "[Full-Disclosure] dha script"
    To: gentoo-announce@gentoo.org, bugtraq@securityfocus.com
    Date: Thu, 22 Jul 2004 13:03:43 +0100
    
    
    

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 200407-16
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                 http://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

       Severity: High
          Title: Linux Kernel: Multiple DoS and permission vulnerabilities
           Date: July 22, 2004
           Bugs: #56171, #56479
             ID: 200407-16

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    Multiple permission vulnerabilities have been found in the Linux
    kernel, allowing an attacker to change the group IDs of files mounted
    on a remote filesystem (CAN-2004-0497), as well as an issue in 2.6
    series kernels which allows /proc permissions to be bypassed.

    A context sharing vulnerability in vserver-sources is also handled by
    this advisory as well as CAN-2004-0447, CAN-2004-0496 and
    CAN-2004-0565. Patched, or updated versions of these kernels have been
    released and details are included along with this advisory.

    Background
    ==========

    The Linux kernel is responsible for managing the core aspects of a
    GNU/Linux system, providing an interface for core system applications
    as well as providing the essential structure and capability to access
    hardware that is needed for a running system.

    Affected packages
    =================

         -------------------------------------------------------------------
          Kernel / Unaffected / Remerge
         -------------------------------------------------------------------
       1 aa-sources ................. *>= 2.4.23-r2 .................. YES
          ............................. >= 2.6.5-r5 ................... YES
       2 alpha-sources .............. >= 2.4.21-r9 .......................
       3 ck-sources ................. *>= 2.4.26-r1 .................. YES
          ............................. >= 2.6.7-r5 ................... YES
       4 compaq-sources ........... >= 2.4.9.32.7-r8 .....................
       5 development-sources ........ >= 2.6.8_rc1 .......................
       6 gentoo-dev-sources .......... >= 2.6.7-r8 .......................
       7 gentoo-sources ............ *>= 2.4.19-r18 ......................
          ........................... *>= 2.4.20-r21 ......................
          ........................... *>= 2.4.22-r13 ......................
          ............................ *>= 2.4.25-r6 ......................
          ............................ >= 2.4.26-r5 .......................
       8 grsec-sources ............ >= 2.4.26.2.0-r6 .....................
       9 gs-sources ............... >= 2.4.25_pre7-r8 ....................
      10 hardened-dev-sources ........ >= 2.6.7-r2 .......................
      11 hardened-sources ........... >= 2.4.26-r3 .......................
      12 hppa-dev-sources .......... >= 2.6.7_p1-r2 ......................
      13 hppa-sources .............. >= 2.4.26_p6-r1 .....................
      14 ia64-sources ............... >= 2.4.24-r7 .......................
      15 mm-sources .................. >= 2.6.7-r6 .......................
      16 openmosix-sources .......... >= 2.4.22-r11 ......................
      17 pac-sources ................ >= 2.4.23-r9 .......................
      18 planet-ccrma-sources ....... >= 2.4.21-r11 ......................
      19 pegasos-dev-sources ......... >= 2.6.7-r2 .......................
      20 pegasos-sources ............ >= 2.4.26-r3 .......................
      21 ppc-sources ................ >= 2.4.26-r3 .......................
      22 rsbac-sources .............. >= 2.4.26-r3 .......................
      23 rsbac-dev-sources ........... >= 2.6.7-r2 .......................
      24 selinux-sources ............ >= 2.4.26-r2 ................... YES
      25 sparc-sources .............. >= 2.4.26-r3 .......................
      26 uclinux-sources .......... *>= 2.4.26_p0-r3 .....................
          ........................... >= 2.6.7_p0-r2 ......................
      27 usermode-sources ........... *>= 2.4.24-r6 ......................
          ............................ *>= 2.4.26-r3 ......................
          ............................. >= 2.6.6-r4 .......................
      28 vserver-sources .......... >= 2.4.26.1.28-r1 ....................
      29 win4lin-sources ............ *>= 2.4.26-r3 ......................
          ............................. >= 2.6.7-r2 .......................
      30 wolk-sources ................ *>= 4.9-r10 .......................
          ............................. *>= 4.11-r7 .......................
          ............................. >= 4.14-r4 ........................
      31 xbox-sources ............... *>= 2.4.26-r3 ......................
          ............................. >= 2.6.7-r2 .......................
      32 mips-sources ................ Vulnerable! .......................
      33 vanilla-sources ............. Vulnerable! .......................
         -------------------------------------------------------------------
          NOTE: Some kernels are still vulnerable. Users should migrate to
                another kernel if one is available or seek another
                solution such as patching their existing kernel.
         -------------------------------------------------------------------
          NOTE: Packages marked with "Remerge" as "YES" require a re-merge
                even though Portage does not indicate a newer version!
         -------------------------------------------------------------------
          33 affected packages on all of their supported architectures.
         -------------------------------------------------------------------

    Description
    ===========

    The Linux kernel allows a local attacker to mount a remote file system
    on a vulnerable Linux host and modify files' group IDs. On 2.4 series
    kernels this vulnerability only affects shared NFS file systems. This
    vulnerability has been assigned CAN-2004-0497 by the Common
    Vulnerabilities and Exposures project.

    Also, a flaw in the handling of /proc attributes has been found in 2.6
    series kernels; allowing the unauthorized modification of /proc
    entries, especially those which rely solely on file permissions for
    security to vital kernel parameters.

    An issue specific to the VServer Linux sources has been found, by which
    /proc related changes in one virtual context are applied to other
    contexts as well, including the host system.

    CAN-2004-0447 resolves a local DoS vulnerability on IA64 platforms
    which can cause unknown behavior and CAN-2004-0565 resolves a floating
    point information leak on IA64 platforms by which registers of other
    processes can be read by a local user.

    Finally, CAN-2004-0496 addresses some more unknown vulnerabilities in
    2.6 series Linux kernels older than 2.6.7 which were found by the
    Sparse source code checking tool.

    Impact
    ======

    Bad Group IDs can possibly cause a Denial of Service on parts of a host
    if the changed files normally require a special GID to properly
    operate. By exploiting this vulnerability, users in the original file
    group would also be blocked from accessing the changed files.

    The /proc attribute vulnerability allows local users with previously no
    permissions to certain /proc entries to exploit the vulnerability and
    then gain read, write and execute access to entries.

    These new privileges can be used to cause unknown behaviour ranging
    from reduced system performance to a Denial of Service by manipulating
    various kernel options which are usually reserved for the superuser.
    This flaw might also be used for opening restrictions set through /proc
    entries, allowing further attacks to take place through another
    possibly unexpected attack vector.

    The VServer issue can also be used to induce similar unexpected
    behaviour to other VServer contexts, including the host. By successful
    exploitation, a Denial of Service for other contexts can be caused
    allowing only root to read certain /proc entries. Such a change would
    also be replicated to other contexts, forbidding normal users on those
    contexts to read /proc entries which could contain details needed by
    daemons running as a non-root user, for example.

    Additionally, this vulnerability allows an attacker to read information
    from another context, possibly hosting a different server, gaining
    critical information such as what processes are running. This may be
    used for furthering the exploitation of either context.

    CAN-2004-0447 and CAN-2004-0496 permit various local unknown Denial of
    Service vulnerabilities with unknown impacts - these vulnerabilities
    can be used to possibly elevate privileges or access reserved kernel
    memory which can be used for further exploitation of the system.

    CAN-2004-0565 allows FPU register values of other processes to be read
    by a local user setting the MFH bit during a floating point operation -
    since no check was in place to ensure that the FPH bit was owned by the
    requesting process, but only an MFH bit check, an attacker can simply
    set the MFH bit and access FPU registers of processes running as other
    users, possibly those running as root.

    Workaround
    ==========

    2.4 users may not be affected by CAN-2004-0497 if they do not use
    remote network filesystems and do not have support for any such
    filesystems in their kernel configuration. All 2.6 users are affected by
    the /proc attribute issue and the only known workaround is to disable
    /proc support.

    The VServer flaw applies only to vserver-sources, and no workaround is
    currently known for the issue. There is no known fix to CAN-2004-0447,
    CAN-2004-0496 or CAN-2004-0565 other than to upgrade the kernel to a
    patched version.

    As a result, all users affected by any of these vulnerabilities should
    upgrade their kernels to ensure the integrity of their systems.

    Resolution
    ==========

    Users are encouraged to upgrade to the latest available sources for
    their system:

         # emerge sync

         # emerge -pv your-favorite-sources
         # emerge your-favorite-sources

         # # Follow usual procedure for compiling and installing a kernel.
         # # If you use genkernel, run genkernel as you would do normally.

    References
    ==========

       [ 1 ] CAN-2004-0447
             http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0447
       [ 2 ] CAN-2004-0496
             http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0496
       [ 3 ] CAN-2004-0497
             http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0497
       [ 4 ] CAN-2004-0565
             http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0565
       [ 5 ] VServer /proc Context Vulnerability
             http://www.securityfocus.com/archive/1/367977

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

         http://security.gentoo.org/glsa/glsa-200407-16.xml

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users machines is of utmost
    importance to us. Any security concerns should be addressed to
    security@gentoo.org or alternatively, you may file a bug at
    http://bugs.gentoo.org.

    License
    =======

    Copyright 2004 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    http://creativecommons.org/licenses/by-sa/1.0

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html



  • Next message: Brian Toovey: "[Full-Disclosure] dha script"

    Relevant Pages