LinuxQuestions.org
Page 12 of 20 « First 21011 12 1314 Last »
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Kernel Vulns (https://www.linuxquestions.org/questions/linux-security-4/kernel-vulns-399624/)

win32sux 05-18-2009 07:11 PM
Linux Kernel "nfs_permission()" EXEC Security Bypass Vulnerability
 
Quote:
Technical Description
A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to bypass security restrictions. This issue is caused by an error in the "nfs_permission()" [fs/nfs/dir.c] function that does not check execute (i.e. EXEC or MAY_EXEC) permission bits when "atomic_open" is available, which could allow malicious users to bypass permissions and execute files.

Affected Products
Linux kernel versions 2.6.x

Solution
VUPEN Security is not aware of any vendor-supplied patch.
VUPEN Advisory

win32sux 06-03-2009 03:12 AM
Linux Kernel e1000 Driver Denial of Service Vulnerability
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the "e1000_clean_rx_irq()" function in drivers/net/e1000/e1000_main.c. This can be exploited to cause a kernel panic via specially crafted network packets sent to an affected system.

Solution:
Fixed in the GIT repository.
http://git.kernel.org/linus/ea30e119...332554573b4a10
Secunia Advisory

win32sux 06-11-2009 06:57 PM
Linux Kernel RTL8169 NIC Remote Denial of Service Vulnerability
 
Quote:
The Linux Kernel is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to crash the system, denying service to legitimate users.
Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.

Versions prior to Linux Kernel 2.6.30 are vulnerable.
Bugtraq ID: 35281

win32sux 07-07-2009 12:40 PM
Linux Kernel "kvm_arch_vcpu_ioctl_set_sregs()" Denial of Service Issue
 
Quote:
Technical Description
A vulnerability has been identified in KVM, which could be exploited by local attackers to cause a denial of service. This issue is caused by an error in the "kvm_arch_vcpu_ioctl_set_sregs()" function that does not validate the page table root in a "KVM_SET_SREGS" call, which could allow malicious users to trigger a NULL pointer dereference and panic a vulnerable system, creating a denial of service condition.

Affected Products
Linux Kernel versions prior to 2.6.30.1

Solution
Upgrade to Linux Kernel version 2.6.30.1
VUPEN Advisory | CVE-2009-2287

win32sux 07-14-2009 02:21 AM
Linux Kernel "PER_CLEAR_ON_SETID" Security Bypass Vulnerability
 
Quote:
Technical Description
A vulnerability has been identified in Linux Kernel, which could be exploited by malicious users to bypass security restrictions. This issue is caused due to the "PER_CLEAR_ON_SETID" mask not including "ADDR_COMPAT_LAYOUT" and "MMAP_PAGE_ZERO", which could allow local attackers to bypass the "mmap_min_addr" restrictions and ASLR restrictions.

Affected Products
Linux Kernel 2.6.x

Solution
Apply patch :
http://git.kernel.org/?p=linux/kerne...03ac7cfa9427b6
VUPEN Advisory

win32sux 07-17-2009 07:46 PM
Linux Kernel "tun_chr_pool()" NULL Pointer Dereference Vulnerability
 
Quote:
Technical Description
A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to cause a denial of service or gain elevated privileges. This issue is caused by a NULL pointer dereference error in the "tun_chr_poll()" [drivers/net/tun.c] function when opening and polling devices, which could allow a malicious user to corrupt memory leading to a kernel panic or arbitrary code execution with root privileges.

Affected Products
Linux Kernel version 2.6.30

Solution
A fix is available via GIT :
http://git.kernel.org/?p=linux/kerne...e04d9c8357ca13
VUPEN Advisory | CVE-2009-1897

win32sux 07-18-2009 09:27 AM
New Linux Flaw Enables Null Pointer Exploits
 
Please go here for complete information and discussion.

win32sux 07-20-2009 11:30 AM
Lunux 2.6.30.2 has been released.
 
It includes fixes for at least two security vulnerabilities.

The changelog is available here.
Quote:
personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)

commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 upstream.

We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.

The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.

We believe it is important to add MMAP_PAGE_ZERO, because by using this
personality it is possible to have the first page mapped inside a
process running as setuid root. This could be used in those scenarios:

- Exploiting a NULL pointer dereference issue in a setuid root binary
- Bypassing the mmap_min_addr restrictions of the Linux kernel: by
running a setuid binary that would drop privileges before giving us
control back (for instance by loading a user-supplied library), we
could get the first page mapped in a process we control. By further
using mremap and mprotect on this mapping, we can then completely
bypass the mmap_min_addr restrictions.

Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
since on x86 32bits it will in practice disable most of the address
space layout randomization (only the stack will remain randomized).
CVE-2009-1895

Quote:
tun/tap: Fix crashes if open() /dev/net/tun and then poll() it. (CVE-2009-1897)

commit 3c8a9c63d5fd738c261bd0ceece04d9c8357ca13 upstream.

Fix NULL pointer dereference in tun_chr_pool() introduced by commit
33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued
packets per device") and triggered by this code:

int fd;
struct pollfd pfd;
fd = open("/dev/net/tun", O_RDWR);
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);
CVE-2009-1897

win32sux 07-30-2009 02:39 AM
Linux Kernel eCryptfs Two Vulnerabilities
 
Quote:
Two vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious people to potentially compromise a user's system.

1) A boundary error in the processing of tag 11 packets can be exploited to cause a stack-based buffer overflow via an eCryptfs file containing a specially crafted metadata section.

2) A boundary error in the "parse_tag_3_packet()" eCryptfs function can be exploited to cause a heap-based buffer overflow via a tag 3 packet containing an overly large encrypted key size.

Successful exploitation may allow execution of arbitrary code, but requires that a user is tricked into processing a specially crafted eCryptfs file.

The vulnerabilities are reported in version 2.6.30.3. Other versions may also be affected.
Secunia Advisory

win32sux 08-04-2009 07:45 AM
Linux Kernel "sigaltstack()" Information Disclosure
 
Quote:
A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information.

The security issue is caused due to an error in the implementation of the "sigaltstack()" function and can be exploited to disclose a limited amount of kernel stack memory.

Successful exploitation may require that the kernel is running on a 64-bit platform.
Secunia Advisory

win32sux 08-04-2009 07:46 AM
Linux Kernel "clear_child_tid" Memory Corruption
 
Quote:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to the kernel improperly using the "current->clear_child_tid" pointer from a parent process when writing to memory in a child process. This can be exploited to corrupt memory in a child process created with "fork()".
Secunia Advisory

win32sux 08-08-2009 08:46 PM
Linux Kernel "clock_nanosleep()" Local Denial of Service Vulnerability
 
Quote:
A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to cause a denial of service. This issue is caused by a NULL pointer dereference error in the "clock_nanosleep()" function when calling "do_nanosleep()" with a clock id set to "CLOCK_MONOTONIC_RAW", which could allow malicious users to panic a vulnerable system, creating a denial of service condition.
VUPEN Advisory

win32sux 08-11-2009 12:11 PM
Linux Kernel "mm_for_maps()" Information Disclosure
 
Quote:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information.

The vulnerability is caused due to an error within the "mm_for_maps()" function in fs/proc/base.c. This can be exploited to disclose the content of the "maps" and "smaps" files from the "/proc" filesystem for a setuid process which is starting.
Secunia Advisory

win32sux 08-13-2009 05:29 PM
Linux Kernel 'sock_sendpage()' NULL Pointer Dereference Vulnerability
 
Quote:
The Linux kernel is prone to a local NULL-pointer dereference vulnerability.

A local attacker can exploit this issue to execute arbitrary code with superuser privileges or crash an affected kernel, denying service to legitimate users.
Bugtraq | CVE-2009-2692

The fix for this is here, and a dedicated LQ thread for discussion has been set up here.

Please note that this affects all 2.4 and 2.6 kernels since 2001 (all architectures).

win32sux 08-16-2009 06:48 PM
Linux 2.6.30.5 has been released.
 
It includes the aforementioned fix for CVE-2009-2692, and addresses at least one other vulnerability.

This other vulnerability is described by Secunia as:
Quote:
A NULL pointer dereference exists within the "cmp_ies()" function in net/wireless/scan.c. This can be exploited to crash a vulnerable system by tricking it into scanning and processing specially crafted SSID IEs.
The relevant changelog entry for it reads:
Code:
    cfg80211: add two missing NULL pointer checks
   
    commit cd3468bad96c00b5a512f551674f36776129520e upstream.
   
    These pointers can be NULL, the is_mesh() case isn't
    ever hit in the current kernel, but cmp_ies() can be
    hit under certain conditions.


All times are GMT -5. The time now is 01:34 PM.
Page 12 of 20 « First 21011 12 1314 Last »
Show 50 post(s) from this thread on one page