[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Security

Linux kernel security

There has been a surprising series of kernel security problems reported over the last week. These include:

  • The uselib() vulnerability disclosed by Paul Starzetz. A locking mistake in an old and mostly unused system call creates a race condition which can be exploited to change protections on memory - and compromise the system. The exploit has not been released, but Mr. Starzetz claims that the race is relatively easy to exploit by first consuming large amounts of memory to force the kernel to sleep in the right spot.

  • Paul Starzetz also discovered a race condition in the page fault handler which can only be exploited on SMP systems. If two threads tried to expand the same downward-growing memory segment at the same time, the result could be an exploitable corruption of the page tables.

  • The grsecurity team, frustrated at a seeming lack of interest in security problems among the kernel developers, disclosed five vulnerabilities at once. One of these is a denial-of-service problem where users could lock more than the authorized amount of memory into physical RAM; as it turns out, the kernel developers still are not overly concerned about that problem. The other vulnerabilities require root access (or at least access to physical devices) to exploit; one of them is in a driver which does not compile in 2.6.

Fixes for the first two vulnerabilities have been merged into the pre-2.6.11 BitKeeper repository; the last set will be fixed as well, but with less urgency. Fixes can also be found in the -ac tree and in the updated kernels being issued by distributors.

One concern that has been raised by these disclosures is that the new kernel development model, by encouraging such large changes between releases, is allowing the creation of more security problems. While that worry could yet prove to be justified, all of the vulnerabilities listed above, with the exception of the RLIMIT_MEMLOCK denial of service problem, are present in the 2.4 kernel as well. They were not introduced or enabled by the new development model.

Another concern is more valid, however: the kernel development project does not have an official security contact or process for handling security problems. Developers who know how the kernel process works have no trouble getting consideration for security-related problems and patches, but the whole process looks far more opaque to the rest of the world. There is a clear need for an easily-found contact for kernel security issues. Chris Wright, who has done a fair amount of security-related kernel work, is pushing for improvements in this area, and, most importantly, has volunteered to do much of the work. So chances are this problem will not last much longer.

Comments (11 posted)

New vulnerabilities

bmv: insecure temporary file

Package(s):bmv CVE #(s):CAN-2003-0014
Created:January 11, 2005 Updated:January 12, 2005
Description: Peter Samuelson, upstream maintainer of bmv, a PostScript viewer for SVGAlib, discovered that temporary files are created in an insecure fashion. A malicious local user could cause arbitrary files to be overwritten by a symlink attack.
Alerts:
Debian DSA-633-1 bmv 2005-01-11

Comments (none posted)

dillo: format string vulnerability

Package(s):dillo CVE #(s):CAN-2005-0012
Created:January 10, 2005 Updated:January 12, 2005
Description: Gentoo Linux developer Tavis Ormandy found a format string bug in Dillo's handling of messages in a_Interface_msg(). An attacker could craft a malicious web page which, when accessed using Dillo, would trigger the format string vulnerability and potentially execute arbitrary code with the rights of the user running Dillo.
Alerts:
Gentoo 200501-11 dillo 2005-01-09

Comments (none posted)

exim: buffer overflows

Package(s):exim CVE #(s):CAN-2005-0021 CAN-2005-0022
Created:January 7, 2005 Updated:February 15, 2005
Description: A buffer overflow in the host_aton() function in Exim 4.4x may allow execution of arbitrary commands with elevated privileges by a local user. This has been patched in Exim 4.43.

Additionally, there is a another buffer overflow in Exim's auth_spa_server() which also be fixed in Exim 4.43.

Alerts:
Red Hat RHSA-2005:025-01 exim 2005-02-15
Gentoo 200501-23 exim 2005-01-12
Debian DSA-637-1 exim-tls 2005-01-13
Debian DSA-635-1 exim 2005-01-12
Ubuntu USN-56-1 exim4 2005-01-07
Fedora FEDORA-2005-001 exim 2005-01-06
Fedora FEDORA-2005-001 exim 2005-01-06

Comments (1 posted)

hylafax: weak hostname and username validation

Package(s):hylafax CVE #(s):CAN-2004-1182
Created:January 11, 2005 Updated:January 13, 2005
Description: Patrice Fournier discovered a vulnerability in the authorization subsystem of hylafax, a flexible client/server fax system. A local or remote user guessing the contents of the hosts.hfaxd database could gain unauthorized access to the fax system. Fixed in HylaFAX 4.2.1.
Alerts:
Mandrake MDKSA-2005:006 hylafax 2005-01-12
Debian DSA-634-1 hylafax 2005-01-11
Gentoo 200501-21 hylafax 2005-01-11

Comments (none posted)

kdelibs: unsanitzied input

Package(s):kdelibs CVE #(s):CAN-2004-1165
Created:January 10, 2005 Updated:July 19, 2005
Description: Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command.
Alerts:
Fedora-Legacy FLSA:152769 kdelibs kdebase 2005-07-15
Mandrake MDKSA-2005:045 kdelibs 2005-02-17
Red Hat RHSA-2005:065-01 kdelibs 2005-02-15
Red Hat RHSA-2005:009-01 kdelibs 2005-02-10
Fedora FEDORA-2005-064 kdelibs 2005-01-25
Fedora FEDORA-2005-063 kdelibs 2005-01-25
Gentoo 200501-18 ftp kioslave 2005-01-11
Debian DSA-631-1 kdelibs 2005-01-10

Comments (none posted)

kernel: race condition, privilege escalation

Package(s):kernel CVE #(s):CAN-2004-1235 CAN-2004-1337
Created:January 10, 2005 Updated:January 19, 2005
Description: Paul Starzetz discovered a race condition in the ELF library and a.out binary format loaders, which can be locally exploited in several different ways to gain root privileges. (CAN-2004-1235)

Liang Bin found a design flaw in the capability module. After this module was loaded on demand in a running system, all unprivileged user space processes got all kernel capabilities (thus essentially root privileges). (CAN-2004-1337)

Alerts:
Red Hat RHSA-2005:043-01 kernel 2005-01-18
Trustix TSLSA-2005-0001 fcron, 2005-01-13
Fedora FEDORA-2005-013 kernel 2005-01-10
Fedora FEDORA-2005-014 kernel 2005-01-10
Ubuntu USN-57-1 linux-source-2.6.8.1 2005-01-09

Comments (none posted)

Konqueror: Java sandbox vulnerabilities

Package(s):konqueror CVE #(s):CAN-2004-1145
Created:January 11, 2005 Updated:January 12, 2005
Description: According to this KDE Security Advisory, two flaws in the Konqueror web browser make it possible to by pass the sandbox environment which is used to run Java-applets. All versions of KDE up to KDE 3.3.1 inclusive are affected. KDE 3.3.2 is not affected.
Alerts:
Gentoo 200501-16 konqueror 2005-01-11

Comments (none posted)

lintian: insecure temporary directory

Package(s):lintian CVE #(s):CAN-2004-1000
Created:January 10, 2005 Updated:January 12, 2005
Description: Jeroen van Wolffelaar discovered a problem in lintian, the Debian package checker. The program removes the working directory even if it wasn't created at program start, removing an unrelated file or directory a malicious user inserted via a symlink attack.
Alerts:
Debian DSA-630-1 lintian 2005-01-10

Comments (none posted)

mailman: cross-site scripting

Package(s):mailman CVE #(s):CAN-2004-1177
Created:January 10, 2005 Updated:March 22, 2005
Description: Florian Weimer discovered a cross-site scripting vulnerability in mailman's automatically generated error messages. An attacker could craft an URL containing JavaScript (or other content embedded into HTML) which triggered a mailman error page. When an unsuspecting user followed this URL, the malicious content was copied unmodified to the error page and executed in the context of this page.
Alerts:
Fedora FEDORA-2005-242 mailman 2005-03-22
Fedora FEDORA-2005-241 mailman 2005-03-22
Red Hat RHSA-2005:235-01 mailman 2005-03-21
Debian DSA-674-1 mailman 2005-02-10
Mandrake MDKSA-2005:015 mailman 2005-01-24
Gentoo 200501-29 mailman 2005-01-22
Ubuntu USN-59-1 mailman 2005-01-10

Comments (none posted)

namazu2: cross-site scripting vulnerability

Package(s):namazu2 CVE #(s):CAN-2004-1318
Created:January 6, 2005 Updated:January 12, 2005
Description: The namazu2 full text search engine has a cross-site scripting vulnerability that may allow an attacker to display arbitrarily crafted text by the use of specially crafted input information.
Alerts:
Debian DSA-627-1 namazu2 2005-01-06

Comments (none posted)

nfs-utils: arbitrary code execution

Package(s):nfs-utils CVE #(s):CAN-2004-0946
Created:January 11, 2005 Updated:February 27, 2006
Description: Arjan van de Ven discovered a buffer overflow in rquotad on 64bit architectures; an improper integer conversion could lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could then lead to the execution of arbitrary code.
Alerts:
Fedora-Legacy FLSA:138098 nfs-utils 2006-02-25
Red Hat RHSA-2005:014-01 nfs-utils 2005-01-12
Mandrake MDKSA-2005:005 nfs-utils 2005-01-11

Comments (none posted)

o3read: buffer overflow during file conversion

Package(s):o3read CVE #(s):CAN-2004-1288
Created:January 11, 2005 Updated:January 12, 2005
Description: Wiktor Kopec discovered that the parse_html function in o3read.c copies any number of bytes into a 1024-byte array.
Alerts:
Gentoo 200501-20 o3read 2005-01-11

Comments (none posted)

phpgroupware: information disclosure vulnerability

Package(s):phpgroupware CVE #(s):
Created:January 6, 2005 Updated:January 12, 2005
Description: phpgroupware has multiple vulnerabilities that may be exploited for the purpose of information disclosure or a remote compromise.
Alerts:
Gentoo 200501-08 phpgroupware 2005-01-06

Comments (none posted)

poppassd_pam: unauthorized password changing

Package(s):poppassd_pam CVE #(s):CAN-2005-0002
Created:January 11, 2005 Updated:January 12, 2005
Description: Gentoo Linux developer Marcus Hanwell discovered that poppassd_pam did not check that the old password was valid before changing passwords. Subsequent investigation revealed that poppassd_pam did not call pam_authenticate before calling pam_chauthtok.
Alerts:
Gentoo 200501-22 poppassd_ceti 2005-01-11

Comments (none posted)

TikiWiki: arbitrary command execution

Package(s):TikiWiki CVE #(s):
Created:January 10, 2005 Updated:January 31, 2005
Description: TikiWiki lacks a check on uploaded images in the Wiki edit page. A malicious user could run arbitrary commands on the server by uploading and calling a PHP script.
Alerts:
Gentoo 200501-41 tikiwiki 2005-01-30
Gentoo 200501-12 tikiwiki 2005-01-10

Comments (none posted)

UnRTF: Buffer overflow

Package(s):unrtf CVE #(s):
Created:January 11, 2005 Updated:January 12, 2005
Description: An unchecked strcat() in unrtf may overflow the bounds of a static buffer. Using a specially crafted file, possibly delivered by e-mail or over the web, an attacker may execute arbitrary code with the permissions of the user running UnRTF.
Alerts:
Gentoo 200501-15 unrtf 2005-01-10

Comments (1 posted)

vilistextum: buffer overflow vulnerability

Package(s):vilistextum CVE #(s):CAN-2004-1299
Created:January 6, 2005 Updated:January 12, 2005
Description: Vilistextum has a buffer overflow vulnerability that can allows an attacker to execute arbitrary code via a maliciously created web page.
Alerts:
Gentoo 200501-10 vilistextum 2005-01-06

Comments (none posted)

Resources

Metasploit Framework v2.3 released

Version v2.3 of the Metasploit Framework is out. "The 2.3 release includes three user interfaces, 46 exploits and 68 payloads."

Full Story (comments: none)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds