Results 1 to 2 of 2

Thread: Linux Kernel: Multiple DoS and permission vulnerabilities

  1. #1
    Senior Member
    Join Date
    Oct 2002

    Linux Kernel: Multiple DoS and permission vulnerabilities

    Linux Kernel: Multiple DoS and permission vulnerabilities


    1. Gentoo Linux Security Advisory

    Version Information
    Advisory Reference GLSA 200407-16 / Kernel
    Release Date July 22, 2004
    Latest Revision July 22, 2004: 01
    Impact high
    Exploitable local

    Package / Vulnerable versions / Unaffected versions / Architecture(s)

    sys-kernel/aa-sources < 2.6.5-r5 2.4.23-r2, >= 2.6.5-r5* All supported architectures
    sys-kernel/alpha-sources < 2.4.21-r9 >= 2.4.21-r9 All supported architectures
    sys-kernel/ck-sources < 2.6.7-r5 2.4.26-r1, >= 2.6.7-r5* All supported architectures
    sys-kernel/compaq-sources < >= All supported architectures
    sys-kernel/development-sources < 2.6.8_rc1 >= 2.6.8_rc1 All supported architectures
    sys-kernel/gentoo-dev-sources < 2.6.7-r8 >= 2.6.7-r8 All supported architectures
    sys-kernel/gentoo-sources < 2.4.26-r5 2.4.19-r18, 2.4.20-r21, 2.4.22-r13, 2.4.25-r6, >= 2.4.26-r5 All supported architectures
    sys-kernel/grsec-sources < >= All supported architectures
    sys-kernel/gs-sources < 2.4.25_pre7-r8 >= 2.4.25_pre7-r8 All supported architectures
    sys-kernel/hardened-dev-sources < 2.6.7-r2 >= 2.6.7-r2 All supported architectures
    sys-kernel/hardened-sources < 2.4.26-r3 >= 2.4.26-r3 All supported architectures
    sys-kernel/hppa-dev-sources < 2.6.7_p1-r2 >= 2.6.7_p1-r2 All supported architectures
    sys-kernel/hppa-sources < 2.4.26_p6-r1 >= 2.4.26_p6-r1 All supported architectures
    sys-kernel/ia64-sources < 2.4.24-r7 >= 2.4.24-r7 All supported architectures
    sys-kernel/mm-sources < 2.6.7-r6 >= 2.6.7-r6 All supported architectures
    sys-kernel/openmosix-sources < 2.4.22-r11 >= 2.4.22-r11 All supported architectures
    sys-kernel/pac-sources < 2.4.23-r9 >= 2.4.23-r9 All supported architectures
    sys-kernel/planet-ccrma-sources < 2.4.21-r11 >= 2.4.21-r11 All supported architectures
    sys-kernel/pegasos-dev-sources < 2.6.7-r2 >= 2.6.7-r2 All supported architectures
    sys-kernel/pegasos-sources < 2.4.26-r3 >= 2.4.26-r3 All supported architectures
    sys-kernel/ppc-sources < 2.4.26-r3 >= 2.4.26-r3 All supported architectures
    sys-kernel/rsbac-sources < 2.4.26-r3 >= 2.4.26-r3 All supported architectures
    sys-kernel/rsbac-dev-sources < 2.6.7-r2 >= 2.6.7-r2 All supported architectures
    sys-kernel/selinux-sources < 2.4.26-r2 >= 2.4.26-r2* All supported architectures
    sys-kernel/sparc-sources < 2.4.26-r3 >= 2.4.26-r3 All supported architectures
    sys-kernel/uclinux-sources < 2.6.7_p0-r2 2.4.26_p0-r3, >= 2.6.7_p0-r2 All supported architectures
    sys-kernel/usermode-sources < 2.6.6-r4 2.4.24-r6, 2.4.26-r3, >= 2.6.6-r4 All supported architectures
    sys-kernel/vserver-sources < >= All supported architectures
    sys-kernel/win4lin-sources < 2.6.7-r2 2.4.26-r3, >= 2.6.7-r2 All supported architectures
    sys-kernel/wolk-sources < 4.14-r4 4.9-r10, 4.11-r7, >= 4.14-r4 All supported architectures
    sys-kernel/xbox-sources < 2.6.7-r2 2.4.26-r3, >= 2.6.7-r2 All supported architectures
    sys-kernel/mips-sources < 2.4.26-r5 All supported architectures
    sys-kernel/vanilla-sources <= 2.4.26 * All supported architectures

    Warning: *: Needs to be manually updated

    Related bugreports: #56171, #56479

    Multiple permission vulnerabilities have been found in the Linux kernel, allowing an attacker to change the group IDs of files mounted on a remote filesystem (CAN-2004-0497), as well as an issue in 2.6 series kernels which allows /proc permissions to be bypassed. A context sharing vulnerability in vserver-sources is also handled by this advisory as well as CAN-2004-0447, CAN-2004-0496 and CAN-2004-0565. Patched, or updated versions of these kernels have been released and details are included along with this advisory.

    2. Impact Information


    The Linux kernel is responsible for managing the core aspects of a GNU/Linux system, providing an interface for core system applications as well as providing the essential structure and capability to access hardware that is needed for a running system.


    The Linux kernel allows a local attacker to mount a remote file system on a vulnerable Linux host and modify files' group IDs. On 2.4 series kernels this vulnerability only affects shared NFS file systems. This vulnerability has been assigned CAN-2004-0497 by the Common Vulnerabilities and Exposures project.

    Also, a flaw in the handling of /proc attributes has been found in 2.6 series kernels; allowing the unauthorized modification of /proc entries, especially those which rely solely on file permissions for security to vital kernel parameters.

    An issue specific to the VServer Linux sources has been found, by which /proc related changes in one virtual context are applied to other contexts as well, including the host system.

    CAN-2004-0447 resolves a local DoS vulnerability on IA64 platforms which can cause unknown behaviour and CAN-2004-0565 resolves a floating point information leak on IA64 platforms by which registers of other processes can be read by a local user.

    Finally, CAN-2004-0496 addresses some more unknown vulnerabilities in 2.6 series Linux kernels older than 2.6.7 which were found by the Sparse source code checking tool.


    Bad Group IDs can possibly cause a Denial of Service on parts of a host if the changed files normally require a special GID to properly operate. By exploiting this vulnerability, users in the original file group would also be blocked from accessing the changed files.

    The /proc attribute vulnerability allows local users with previously no permissions to certain /proc entries to exploit the vulnerability and then gain read, write and execute access to entries.

    These new privileges can be used to cause unknown behaviour ranging from reduced system performance to a Denial of Service by manipulating various kernel options which are usually reserved for the superuser. This flaw might also be used for opening restrictions set through /proc entries, allowing further attacks to take place through another possibly unexpected attack vector.

    The VServer issue can also be used to induce similar unexpected behaviour to other VServer contexts, including the host. By successful exploitation, a Denial of Service for other contexts can be caused allowing only root to read certain /proc entries. Such a change would also be replicated to other contexts, forbidding normal users on those contexts to read /proc entries which could contain details needed by daemons running as a non-root user, for example.

    Additionally, this vulnerability allows an attacker to read information from another context, possibly hosting a different server, gaining critical information such as what processes are running. This may be used for furthering the exploitation of either context.

    CAN-2004-0447 and CAN-2004-0496 permit various local unknown Denial of Service vulnerabilities with unknown impacts - these vulnerabilities can be used to possibly elevate privileges or access reserved kernel memory which can be used for further exploitation of the system.

    CAN-2004-0565 allows FPU register values of other processes to be read by a local user setting the MFH bit during a floating point operation - since no check was in place to ensure that the FPH bit was owned by the requesting process, but only an MFH bit check, an attacker can simply set the MFH bit and access FPU registers of processes running as other users, possibly those running as root.

    3. Resolution Information


    2.4 users may not be affected by CAN-2004-0497 if they do not use remote network filesystems and do not have support for any such filesystems in their kernel configuration. All 2.6 users are affected by the /proc attribute issue and the only known workaround is to disable /proc support. The VServer flaw applies only to vserver-sources, and no workaround is currently known for the issue. There is no known fix to CAN-2004-0447, CAN-2004-0496 or CAN-2004-0565 other than to upgrade the kernel to a patched version.

    As a result, all users affected by any of these vulnerabilities should upgrade their kernels to ensure the integrity of their systems.


    Users are encouraged to upgrade to the latest available sources for their system:

    Code Listing 3.1

    # emerge sync
    # emerge -pv your-favorite-sources
    # emerge your-favorite-sources

    # # Follow usual procedure for compiling and installing a kernel.
    # # If you use genkernel, run genkernel as you would do normally.

    4. References
    VServer /proc Context Vulnerability
    -- From Zone-H.org, more info check out this link.
    Space For Rent.. =]

  2. #2
    With them turning the 2.6 branch into the development tree (literally) I won't be suprised to see this happening often, as well as bug reports filling up everyone's time. You just don't take a vanilla kernel and turn it experimental. People -depend- upon a stable (see even numbers) kernel (vanilla even) to preform fixes and basic OS work. Their descision to stop this really makes me upset with Linus.

    Worst descision in the history of Linux...

    However, seeing as how I've always preached about using the 2.4.x kernel branch (with various patch fixes, such as preemptive and low latency ported from 2.6 to 2.5) because of it's proven stability... it's hilarious to see this kind of fate hit 2.6

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts