Kernel Vulns
I would like to ask anyone who sees kernel vulnerabilities posted to add them to this thread. This way we can make sure they're published centrally. Please add a good, short title or CVE ID and the date it was published. If you post a summary keep it concise and please link to the original publication.
Please note this thread serves as a listing and not for *discussing* those vulnerabilities: please create a separate thread. Thanks. CVE entries for linux+kernel. FYI from win32sux to all: I am now unable to post vulnerabilities regarding the 2.4 branch, as well as prior 2.6 branches. In other words, I am only posting vulnerabilities which affect the latest stable 2.6 branch. Also, please keep in mind that I only announce new kernel releases when they include patches to known security vulnerabilities. |
2006-01-04 CVE-2005-3358 (mempolicy, sysctl, fib_lookup, TwinHan DST driver)
Advisory ID : FrSIRT/ADV-2006-0035
CVE ID : CVE-2005-3358 Rated as : Moderate Risk Remotely Exploitable : No Locally Exploitable : Yes Release Date : 2006-01-04 Technical Description Multiple vulnerabilities were identified in Linux Kernel, which could be exploited by malicious users to cause a denial of service and potentially obtain elevated privileges. - The first issue is due to an error in "mm/mempolicy.c" when handling policy system calls, which could be exploited by local attackers to cause a denial of service via a "set_mempolicy" call with a 0 bitmask. - The second flaw is due to a one-byte buffer overrun error in "kernel/sysctl.c" when processing an overly long user-supplied string, which could be exploited by local attackers to potentially execute arbitrary commands. - The third vulnerability is due to an error in "net/ipv4/fib_frontend.c" when processing malformed "fib_lookup" netlink messages, which could cause illegal memory references. - The fourth issue is due to a buffer overflow error in the CA-driver for TwinHan DST Frontend/Card [drivers/media/dvb/bt8xx/dst_ca.c], which could be exploited by malicious users to cause a denial of service or potentially execute arbitrary commands. Affected Products Linux Kernel version 2.6.x Solution Upgrade to Linux Kernel version 2.6.15 See full advisory: FrSIRT/ADV-2006-0035. |
2006-01-16 CVE-2006-0035/0036/0037 (netlink_rcv_skb, PPTP NAT helper)
Advisory ID : FrSIRT/ADV-2006-0220
CVE ID : CVE-2006-0035 - CVE-2006-0036 - CVE-2006-0037 Rated as : Moderate Risk CVSS Severity: 3.5 (Low), 3.3 (Low), 2.3 (Low) Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2006-01-16 Technical Description Multiple vulnerabilities were identified in Linux Kernel, which could be exploited by remote or local attackers to cause a denial of service. The first issue is due to an infinite loop in the "netlink_rcv_skb" [af_netlink.c] function when handling a specially crafted "nlmsg_len" value, which could be exploited by local attackers to cause a denial of service. The second flaw is due to an error in the PPTP NAT helper that does not properly calculate the offset when handling an inbound "PPTP_IN_CALL_REQUEST" packet, which could be exploited by attackers to crash a vulnerable system. The third vulnerability is due to an error in the PPTP NAT helper that does not properly calculate the offset based on the difference between two pointers to the header, which could be exploited by attackers to cause a kernel crash. Affected Products Linux Kernel version 2.6.15 and prior Solution Upgrade to Linux Kernel 2.6.15.1 : http://www.kernel.org/ Credits Vulnerabilities reported by Martin Murray and the vendor See full advisory |
2006-01-17 CVE-2006-0095 ( dm-crypt)
Advisory ID : FrSIRT/ADV-2006-0235
CVE ID : CVE-2006-0095 Rated as : Low Risk CVSS Severity: 1.6 (Low) Remotely Exploitable : No Locally Exploitable : Yes Release Date : 2006-01-17 Technical Description A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to gain knowledge of sensitive information. This flaw is due to an error in the "dm-crypt" [drivers/md/dm-crypt.c] driver that fails to properly clear memory before freeing it, which could be exploited by malicious users to disclose sensitive about cryptographic keys. Affected Products Linux Kernel version 2.6.15.1 and prior Solution Upgrade to Linux Kernel version 2.6.15.2 : http://www.kernel.org Credits Vulnerability reported by Stefan Rompf See full advisory |
2006-02-02 CVE-2006-0482 (compat_sys_clock_settime for SPARC)
Advisory ID : FrSIRT/ADV-2006-0418
CVE ID : CVE-2006-0482 Rated as : Low Risk CVSS Severity: 1.6 (Low) Remotely Exploitable : No Locally Exploitable : Yes Release Date : 2006-02-02 Technical Description A vulnerability has been identified in Linux Kernel, which could be exploited by malicious users to cause a denial of service. This flaw is due to an error in the "compat_sys_clock_settime()" [arch/sparc64/kernel/sys32.S] function that provides invalid sign extended arguments to the "get_compat_timespec()" function call when processing a "date -s" command on SPARC architectures, which could be exploited by local attackers to panic the system, creating a denial of service condition. Affected Products Linux Kernel version 2.6.15.1 and prior Solution The FrSIRT is not aware of any official supplied patch for this issue. Credits Vulnerability reported by Ludovic Courtès See full advisory: FrSIRT/ADV-2006-0418 |
2006-02-08 CVE-2006-0454 (icmp response remote DoS)
Advisory ID : FrSIRT/ADV-2006-0464
CVE ID : CVE-2006-0454 Rated as : Moderate Risk CVSS Severity: 2.3 (Low) Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2006-02-08 Technical Description A vulnerability has been identified in Linux Kernel, which could be exploited by remote attackers to cause a denial of service. This flaw is due to an error in the "ip_options_echo()" [net/ipv4/icmp.c] function when constructing an ICMP response, which could be exploited by remote attackers to cause a denial of service by sending specially crafted ICMP packets containing record-route or timestamp IP options to a vulnerable system. Affected Products Linux Kernel versions 2.6.12 through 2.6.15.2 Solution Upgrade to Linux Kernel 2.6.15.3 : http://www.kernel.org/ Credits Vulnerability reported by the vendor See full advisory |
2006-02-21CAN-2005-1767 (Stack Fault Exceptions Unspecified DoS)
HTTP link: http://www.securityfocus.com/bid/14467
Bugtraq ID: 14467 CVE ID : CAN-2005-1767 Remotely: No Local: Yes Release Date : 2006-02-21 Description Linux kernel is reported prone to an unspecified local denial of service vulnerability. It was reported that this issue arises when a local user triggers stack fault exceptions. A local attacker may exploit this issue to carry out a denial of service attack against a vulnerable computer by crashing the kernel. Affected Products Linux Kernel versions 2.4 to 2.6 Solution Upgrade to latest Linux Kernel: http://www.kernel.org/ |
Linux Kernel Local Denial of Service Vulnerabilities (Not Critical)
Quote:
|
Linux Kernel "die_if_kernel()" Potential Denial of Service (Not Critical)
Quote:
|
Linux kernel Netfilter/do_replace and NDIS response (Moderately critical)
HTTP link: http://secunia.com/advisories/19330/
CVE ID : unknown Remotely: no Release Date : 2006-03-22 Description Two vulnerabilities have been reported in the Linux Kernel, which has an unknown impact. 1) An integer overflow error exists within the "do_replace()" function in Netfilter. This can be exploited to cause a buffer overflow and allows the overwrite of arbitrary amounts of kernel memory when data is copied from user space. 2) Insufficient memory allocation in "drivers/usb/gadget/rndis.c" when handling NDIS response to OID_GEN_SUPPORTED_LIST may cause kernel memory corruption. Solution: Update to version 2.6.16. http://www.kernel.org/ |
Quote:
Quote:
|
Linux Kernel IPv4 "sockaddr_in.sin_zero" Information Disclosure (Not Critical)
Quote:
|
Linux Kernel IP ID Value Increment Weakness (Not Critical)
Quote:
|
Linux Kernel Sysfs Local Denial of Service Vulnerability (Not Critical)
Quote:
UPDATE: Stable kernel 2.6.16.2 has just been released. It includes the patch for CVE-2006-1055, among other things. As usual, you can get your copy at: http://www.kernel.org/ |
Linux Kernel "__keyring_search_one()" Denial of Service (Not Critical)
Quote:
UPDATE #1: 2.6.16.4 has been released. Less than 12 hours after 2.6.16.3 was released, the -stable team patched the code with a one-liner, releasing 2.6.16.4. A Secunia advisory isn't out yet, but the commit in git states the patch addresses an issue with RCU signal handling, which is CVE-2006-1523. UPDATE #2: 2.6.16.5 has been released. One day after 2.6.16.4 was released, the -stable team patched the code once again, releasing 2.6.16.5. A Secunia advisory isn't out yet, but git shows that one patch addresses an issue with uncanonical return addresses on x86_64, which is CVE-2006-0744 . |
This post is just a bump, so that all thread subscribers are made aware of the two updates which were made to the previous post yesterday (UPDATE #1) and today (UPDATE #2).
|
Linux 2.6.16.6 was released about 13 hours ago. As can be seen in the ChangeLog, it included a fair number of bugfix patches (23 commits since 2.6.16.5 was released). One of these patches was indeed assigned a CVE ID. In Hugh Dickins' (patch author) own words:
Quote:
About two hours after the release of 2.6.16.6, the code was patched once again by Hugh Dickins - and Linux 2.6.16.7 was released. This is CVE-2006-1524. |
Linux 2.6.16.8 has been released. From the ChangeLog:
Quote:
|
Linux 2.6.16.9 has been released. From the ChangeLog:
Quote:
|
Linux Kernel perfmon Local Denial of Service Vulnerability (Not Critical)
Quote:
This is CVE-2006-0558. |
Linux Kernel CIFS chroot Directory Traversal Vulnerability (Not Critical)
Quote:
This is CVE-2006-1863. |
Linux Kernel SMBFS chroot Directory Traversal Vulnerability (Not Critical)
Quote:
This is CVE-2006-1864. |
Linux 2.6.16.13 has been released. It fixes a Netfilter vulnerability.
From the git commit: Quote:
|
Linux 2.6.16.14 has been released. It fixes a smbfs chroot vulnerability.
From the ChangeLog: Quote:
|
SCTP Denial of Service Vulnerabilities (Moderately Critical)
Quote:
Patches for this can be found here: http://git.kernel.org/git/?p=linux/k...60e84637bc432e http://git.kernel.org/git/?p=linux/k...dd1d8191a6e813 |
Linux 2.6.16.15 has been released. It consists of these SCTP patches:
Quote:
Quote:
Quote:
Quote:
The ChangeLog is available here. |
Linux 2.6.16.16 has been released. It's a basically a patch for CVE-2006-1860.
From the ChangeLog: Quote:
|
Linux 2.6.16.17 has been released.
The ChangeLog shows three CVE issues (among other things) are addressed: Quote:
Quote:
Quote:
|
Linux 2.6.16.18 has been released.
The ChangeLog shows it consists of a single patch for a Netfilter SNMP NAT issue: Quote:
|
Linux 2.6.16.19 has been released.
The ChangeLog shows it consists of a Netfilter information disclosure patch: Quote:
|
Linux Kernel SMP "/proc" Race Condition Denial of Service (Not Critical)
Quote:
This is CVE-2006-2629. |
Linux 2.6.16.21 and 2.6.17.1 have been released. Both releases address security issues.
Regarding 2.6.16.21: The ChangeLog shows it consists of 4 patches, 3 of which have CVE IDs: Quote:
Quote:
Quote:
Regarding 2.6.17.1: The ChangeLog shows it consists of a patch for CVE-2006-3085: Quote:
|
Linux 2.6.16.23 and 2.6.17.3 have been released.
Both releases address a Netfilter vulnerability: Quote:
ChangeLogs: 2.6.16.23, 2.6.17.3. |
Linux 2.6.16.24 and 2.6.17.4 have been released.
Both releases address a core dump handling vulnerability: Quote:
ChangeLogs: 2.6.16.24, 2.6.17.4. |
Linux 2.6.16.25 and 2.6.17.5 have been released.
Both releases address a /proc vulnerability: Quote:
ChangeLogs: 2.6.16.25, 2.6.17.5. UPDATE: Linux 2.6.16.26 and 2.6.17.6 were released shortly after, to relax the /proc fix a bit. Because this patch isn't in and of itself a vulnerability fix, I will not be making a new post for it (this thread is only for vulnerabilities, not just any bugfixes). Quote:
|
Linux 2.6.16.27 has been released.
It's three patches, one of which addresses a security vulnerability: Quote:
ChangeLog: 2.6.16.27. |
Linux 2.6.17.7 has been released.
It consists of many patches, one of which addresses a security vulnerability: Quote:
ChangeLog: 2.6.17.7. |
Linux Kernel Ext3 Invalid Inode Number Denial of Service
Quote:
NOTE: It seems like 2.6.17.8 addresses this, but it's not entirely clear whether the patch is a temporary workaround or a permanent fix. |
Linux 2.4.33 has been released.
It consists of a great deal of maintenance patches over 2.4.32, several of which address security vulnerabilities. Here's the essence, as far as patches with CVE IDs are concerned: Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
NOTE: I realize it might be a little odd to see the 2.4.x kernel make it into this thread. But considering that 2.4.x is still in such wide use, I feel it's important we post vulnerability reports for it also. Furthermore, the release of 2.4.33 seems like the perfect time to start doing so IMHO. |
Linux Kernel UDF Truncation Denial of Service (Not Critical)
Quote:
|
Linux 2.6.17.9 has been released.
It consists of a single patch for a PowerPC vulnerability: Quote:
|
Linux 2.4.33.1 has been released.
It includes a patch for the PowerPC vulnerability, as well as one for CVE-2006-1528. The ChangeLog is here. |
Linux 2.4.33.2 has been released.
It includes a patch for CVE-2006-3745 (SCTP local privilage elevation). The ChangeLog is here. |
Linux 2.6.17.10 has been released.
It consists of three patches, two of which have CVE IDs: Quote:
Quote:
The 2.6.17.10 ChangeLog is here. UPDATE: Linux 2.6.17.11 has been released, but because it doesn't seem to include any fixes for security vulnerabilities, a new post here isn't warranted. |
Linux 2.6.16.28 has been released.
It consists of several bugfixes, four of which address security vulnerabilities. From the ChangeLog: Quote:
|
Linux 2.4.33.3 has been released.
It includes a patch for CVE-2006-4145 (UDF deadlock and memory corruption). The full ChangeLog is here. |
Linux Kernel ULE Packet Handling Denial of Service (Less Critical)
Quote:
|
Linux 2.6.16.29 has been released.
It consists of many bugfixes, three of which address security vulnerabilities.
Quote:
|
Linux Kernel SCTP Denial of Service Vulnerability (Not Critical)
Quote:
NOTE: This affects both 2.4 and 2.6 kernels. |
Linux Kernel s390 "copy_from_user" Information Disclosure (Less Critical)
Quote:
|
All times are GMT -5. The time now is 09:08 AM. |