Kernel Vulns
I would like to ask anyone who sees kernel vulnerabilities posted to add them to this thread. This way we can make sure they're published centrally. Please add a good, short title or CVE ID and the date it was published. If you post a summary keep it concise and please link to the original publication.
Please note this thread serves as a listing and not for *discussing* those vulnerabilities: please create a separate thread. Thanks. CVE entries for linux+kernel. FYI from win32sux to all: I am now unable to post vulnerabilities regarding the 2.4 branch, as well as prior 2.6 branches. In other words, I am only posting vulnerabilities which affect the latest stable 2.6 branch. Also, please keep in mind that I only announce new kernel releases when they include patches to known security vulnerabilities. |
2006-01-04 CVE-2005-3358 (mempolicy, sysctl, fib_lookup, TwinHan DST driver)
Advisory ID : FrSIRT/ADV-2006-0035
CVE ID : CVE-2005-3358 Rated as : Moderate Risk Remotely Exploitable : No Locally Exploitable : Yes Release Date : 2006-01-04 Technical Description Multiple vulnerabilities were identified in Linux Kernel, which could be exploited by malicious users to cause a denial of service and potentially obtain elevated privileges. - The first issue is due to an error in "mm/mempolicy.c" when handling policy system calls, which could be exploited by local attackers to cause a denial of service via a "set_mempolicy" call with a 0 bitmask. - The second flaw is due to a one-byte buffer overrun error in "kernel/sysctl.c" when processing an overly long user-supplied string, which could be exploited by local attackers to potentially execute arbitrary commands. - The third vulnerability is due to an error in "net/ipv4/fib_frontend.c" when processing malformed "fib_lookup" netlink messages, which could cause illegal memory references. - The fourth issue is due to a buffer overflow error in the CA-driver for TwinHan DST Frontend/Card [drivers/media/dvb/bt8xx/dst_ca.c], which could be exploited by malicious users to cause a denial of service or potentially execute arbitrary commands. Affected Products Linux Kernel version 2.6.x Solution Upgrade to Linux Kernel version 2.6.15 See full advisory: FrSIRT/ADV-2006-0035. |
2006-01-16 CVE-2006-0035/0036/0037 (netlink_rcv_skb, PPTP NAT helper)
Advisory ID : FrSIRT/ADV-2006-0220
CVE ID : CVE-2006-0035 - CVE-2006-0036 - CVE-2006-0037 Rated as : Moderate Risk CVSS Severity: 3.5 (Low), 3.3 (Low), 2.3 (Low) Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2006-01-16 Technical Description Multiple vulnerabilities were identified in Linux Kernel, which could be exploited by remote or local attackers to cause a denial of service. The first issue is due to an infinite loop in the "netlink_rcv_skb" [af_netlink.c] function when handling a specially crafted "nlmsg_len" value, which could be exploited by local attackers to cause a denial of service. The second flaw is due to an error in the PPTP NAT helper that does not properly calculate the offset when handling an inbound "PPTP_IN_CALL_REQUEST" packet, which could be exploited by attackers to crash a vulnerable system. The third vulnerability is due to an error in the PPTP NAT helper that does not properly calculate the offset based on the difference between two pointers to the header, which could be exploited by attackers to cause a kernel crash. Affected Products Linux Kernel version 2.6.15 and prior Solution Upgrade to Linux Kernel 2.6.15.1 : http://www.kernel.org/ Credits Vulnerabilities reported by Martin Murray and the vendor See full advisory |
2006-01-17 CVE-2006-0095 ( dm-crypt)
Advisory ID : FrSIRT/ADV-2006-0235
CVE ID : CVE-2006-0095 Rated as : Low Risk CVSS Severity: 1.6 (Low) Remotely Exploitable : No Locally Exploitable : Yes Release Date : 2006-01-17 Technical Description A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to gain knowledge of sensitive information. This flaw is due to an error in the "dm-crypt" [drivers/md/dm-crypt.c] driver that fails to properly clear memory before freeing it, which could be exploited by malicious users to disclose sensitive about cryptographic keys. Affected Products Linux Kernel version 2.6.15.1 and prior Solution Upgrade to Linux Kernel version 2.6.15.2 : http://www.kernel.org Credits Vulnerability reported by Stefan Rompf See full advisory |
2006-02-02 CVE-2006-0482 (compat_sys_clock_settime for SPARC)
Advisory ID : FrSIRT/ADV-2006-0418
CVE ID : CVE-2006-0482 Rated as : Low Risk CVSS Severity: 1.6 (Low) Remotely Exploitable : No Locally Exploitable : Yes Release Date : 2006-02-02 Technical Description A vulnerability has been identified in Linux Kernel, which could be exploited by malicious users to cause a denial of service. This flaw is due to an error in the "compat_sys_clock_settime()" [arch/sparc64/kernel/sys32.S] function that provides invalid sign extended arguments to the "get_compat_timespec()" function call when processing a "date -s" command on SPARC architectures, which could be exploited by local attackers to panic the system, creating a denial of service condition. Affected Products Linux Kernel version 2.6.15.1 and prior Solution The FrSIRT is not aware of any official supplied patch for this issue. Credits Vulnerability reported by Ludovic Courtès See full advisory: FrSIRT/ADV-2006-0418 |
2006-02-08 CVE-2006-0454 (icmp response remote DoS)
Advisory ID : FrSIRT/ADV-2006-0464
CVE ID : CVE-2006-0454 Rated as : Moderate Risk CVSS Severity: 2.3 (Low) Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2006-02-08 Technical Description A vulnerability has been identified in Linux Kernel, which could be exploited by remote attackers to cause a denial of service. This flaw is due to an error in the "ip_options_echo()" [net/ipv4/icmp.c] function when constructing an ICMP response, which could be exploited by remote attackers to cause a denial of service by sending specially crafted ICMP packets containing record-route or timestamp IP options to a vulnerable system. Affected Products Linux Kernel versions 2.6.12 through 2.6.15.2 Solution Upgrade to Linux Kernel 2.6.15.3 : http://www.kernel.org/ Credits Vulnerability reported by the vendor See full advisory |
2006-02-21CAN-2005-1767 (Stack Fault Exceptions Unspecified DoS)
HTTP link: http://www.securityfocus.com/bid/14467
Bugtraq ID: 14467 CVE ID : CAN-2005-1767 Remotely: No Local: Yes Release Date : 2006-02-21 Description Linux kernel is reported prone to an unspecified local denial of service vulnerability. It was reported that this issue arises when a local user triggers stack fault exceptions. A local attacker may exploit this issue to carry out a denial of service attack against a vulnerable computer by crashing the kernel. Affected Products Linux Kernel versions 2.4 to 2.6 Solution Upgrade to latest Linux Kernel: http://www.kernel.org/ |
Linux Kernel Local Denial of Service Vulnerabilities (Not Critical)
Quote:
|
Linux Kernel "die_if_kernel()" Potential Denial of Service (Not Critical)
Quote:
|
Linux kernel Netfilter/do_replace and NDIS response (Moderately critical)
HTTP link: http://secunia.com/advisories/19330/
CVE ID : unknown Remotely: no Release Date : 2006-03-22 Description Two vulnerabilities have been reported in the Linux Kernel, which has an unknown impact. 1) An integer overflow error exists within the "do_replace()" function in Netfilter. This can be exploited to cause a buffer overflow and allows the overwrite of arbitrary amounts of kernel memory when data is copied from user space. 2) Insufficient memory allocation in "drivers/usb/gadget/rndis.c" when handling NDIS response to OID_GEN_SUPPORTED_LIST may cause kernel memory corruption. Solution: Update to version 2.6.16. http://www.kernel.org/ |
Quote:
Quote:
|
Linux Kernel IPv4 "sockaddr_in.sin_zero" Information Disclosure (Not Critical)
Quote:
|
Linux Kernel IP ID Value Increment Weakness (Not Critical)
Quote:
|
Linux Kernel Sysfs Local Denial of Service Vulnerability (Not Critical)
Quote:
UPDATE: Stable kernel 2.6.16.2 has just been released. It includes the patch for CVE-2006-1055, among other things. As usual, you can get your copy at: http://www.kernel.org/ |
Linux Kernel "__keyring_search_one()" Denial of Service (Not Critical)
Quote:
UPDATE #1: 2.6.16.4 has been released. Less than 12 hours after 2.6.16.3 was released, the -stable team patched the code with a one-liner, releasing 2.6.16.4. A Secunia advisory isn't out yet, but the commit in git states the patch addresses an issue with RCU signal handling, which is CVE-2006-1523. UPDATE #2: 2.6.16.5 has been released. One day after 2.6.16.4 was released, the -stable team patched the code once again, releasing 2.6.16.5. A Secunia advisory isn't out yet, but git shows that one patch addresses an issue with uncanonical return addresses on x86_64, which is CVE-2006-0744 . |
All times are GMT -5. The time now is 07:55 AM. |