Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Linux Kernel ULE Packet Handling Denial of Service (Less Critical)
Quote:
Description:
Ang Way Chuang has reported a vulnerability in Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error in the ULE (Unidirectional Lightweight Encapsulation) decapsulation code when processing ULE packets. This can be exploited to crash the system by sending a malicious ULE packet with an SNDU (Sub Network Data Unit) size of 0.
The vulnerability has been reported in version 2.6.17.11. Other versions may also be affected.
Solution:
Secunia is currently not aware of an official version fixing the vulnerability.
Linux Kernel SCTP Denial of Service Vulnerability (Not Critical)
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
The vulnerability is caused due to an error within the handling of SCTP sockets. This can be exploited to crash the Kernel by opening a SCTP socket with a special SO_LINGER value.
Linux Kernel s390 "copy_from_user" Information Disclosure (Less Critical)
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information.
The vulnerability is caused due to the "copy_from_user" function not correctly clearing kernel buffers after receiving a fault because of invalid user space addresses. This can be exploited to read uninitialised kernel memory by appending to files from invalid addresses.
Note: The vulnerability affects the s390 architecture only.
Solution:
The vulnerability has been fixed in version 2.6.19-rc1.
Linux Kernel Denial of Service Vulnerabilities (Moderately Critical)
Quote:
Description:
Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users and malicious people to cause a DoS (Denial of Service).
1) The "sys_perfmon()" function on Itanium (IA64) systems does not correctly handle file descriptor reference counts, which can be exploited to cause a DoS by consuming all available file descriptors.
2) The "clip_mkip()" function in net/atm/clip.c may dereference a previously freed pointer when processing received data, which can be exploited to cause a kernel panic.
Linux Kernel "clip_mkip()" Denial of Service Vulnerability (Moderately Critical)
Quote:
Description:
A vulnerability has been reported in Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error in the "clip_mkip()" function in the ATM (Asynchronous Transfer Mode) subsystem and can be exploited to cause a kernel panic.
Successful exploitation requires installed ATM hardware and configured ATM support.
Solution:
The vulnerability has been fixed in version 2.4.34-pre4.
It's a maintenance release, but it addresses a security vulnerability:
Quote:
dvb-core: Proper handling ULE SNDU length of 0
ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
code has a bug that allows an attacker to send a malformed ULE packet
with SNDU length of 0 and bring down the receiving machine. This patch
fix the bug and has been tested on version 2.6.17.11. This bug is 100%
reproducible and the modified source code (GPL) used to produce this bug
will be posted on http://nrg.cs.usm.my/downloads.htm shortly. The
kernel will produce a dump during CRC32 checking on faulty ULE packet.
It includes a patch for an s390 architecture vulnerability:
Quote:
[S390] user readable uninitialised kernel memory.
A user space program can read uninitialised kernel memory
by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.
Linux Kernel IPv6 Flow Label Denial of Service (Not Critical)
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
The vulnerability is caused due to an error within the handling of seqfiles for "/proc/net/ip6_flowlabel", which can be exploited to cause kernel lockups and crashes via specially crafted flow labels.
Linux Kernel ISO9660 Local Denial of Service (Not Critical)
Quote:
Description:
LMH has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
The vulnerability is caused due to race conditions within the implementation of the ISO9660 file system. This can be exploited to cause an infinite loop in the "isofs_get_blocks()" function by mounting a specially crafted ISO9660 image and performing a read operation on the mounted file system.
Solution:
Allow only trusted users to mount ISO9660 images.
Linux Kernel Fragmented IPv6 Packet Filtering Bypass (Moderately Critical)
Quote:
Description:
Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerabilities are caused due to the incorrect processing of certain fragmented IPv6 packets. This can be exploited to bypass filtering rules by sending specially crafted packets.
As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on extension header
matches.
When extension headers occur in the non-first fragment after the fragment
header (possibly with an incorrect nexthdr value in the fragment header)
a rule looking for this extension header will never match.
Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.
Since all extension headers are before the protocol header this makes sure
an extension header is either not present or in the first fragment, where
we can properly parse it.
As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on protocol matches.
When the protocol header doesn't follow the fragment header immediately,
the fragment header contains the protocol number of the next extension
header. When the extension header and the protocol header are sent in
a second fragment a rule like "ip6tables .. -p udp -j DROP" will never
match.
Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.
Quote:
[IPV6]: fix lockup via /proc/net/ip6_flowlabel (CVE-2006-5619)
There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where,
after finding a flowlabel, the code will loop forever not finding any
further flowlabels, first traversing the rest of the hash bucket then just
looping.
This patch fixes the problem by breaking after the hash bucket has been
traversed.
Note that this bug can cause lockups and oopses, and is trivially invoked
by an unpriveleged user.
Quote:
[S390] fix user readable uninitialised kernel memory (CVE-2006-5174)
A user space program can read uninitialised kernel memory
by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.