Results 1 to 3 of 3

Thread: Security flaws force Linux kernel upgrade

  1. January 6th, 2004, 04:33 PM #1
    SDK
    SDK is offline
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Security flaws force Linux kernel upgrade

    Open-source developers released a new version of the Linux kernel Monday in a move aimed at quickly fixing several bugs--among them two serious security flaws.
    The 2.4.24 upgrade to the Linux kernel comes a month after the release of the previous version of the core system software and only includes patches for six software issues, including the two flaws.

    The release is intended to prompt users to upgrade quickly, said Marcelo Tosatti, the maintainer of the 2.4 kernel series and a Linux developer for data center management company Cyclades.




    "These security issues need to be fixed as soon as possible," Tosatti told CNET News.com in an interview Monday. As maintainer, Tosatti decides what changes can be made to the kernel and when to release new versions of the core system software for Linux.

    The most serious flaw, which occurs in a function used by virtual memory, resembles a vulnerability fixed in late November that had been exploited by unknown attackers to control several key Linux servers open-source developers use. Both flaws allow an intruder to increase the privileges of a normal user account to the same level as the system's owner.

    Tosatti said that once it became clear that the latest flaw could be used to circumvent security on Linux systems, he and other developers decided to immediately release the fixes. The move follows decisions by the kernel developers to curtail new features in the 2.4 kernel series in order to get developers and users to move to the next generation of core Linux software, the 2.6 kernel. The final set of features that had been intended for this release of the kernel have been postponed until the next version, he said.

    "It is good that I have the ability--because this is open source--to release the code so quickly," Tosatti said.

    The second security flaw results in a device driver problem that could allow an intruder to read some memory the kernel uses.

    The latest version of the kernel can be downloaded from Kernel.org. Patches for specific Linux distributions can be downloaded from their developers.
    Source : http://zdnet.com.com/2100-1105_2-5135129.html
    -Simon \"SDK\"
    Reply With Quote Reply With Quote
  2. January 7th, 2004, 02:19 AM #2
    Phat_Penguin
    Phat_Penguin is offline
    Senior Member
    Join Date
    May 2002
    Posts
    450
    A more detailed outline of the vulnerabilty is in this advisory .... all sources and credits are in the quote.

    Synopsis: Linux kernel do_mremap local privilege escalation vulnerability
    Product: Linux kernel
    Version: 2.2, 2.4 and 2.6 series

    Vendor: http://www.kernel.org/
    URL: http://isec.pl/vulnerabilities/isec-0013-mremap.txt
    CVE: http://cve.mitre.org/cgi-bin/cvename...=CAN-2003-0985
    Author: Paul Starzetz <ihaquer@isec.pl>,
    Wojciech Purczynski <cliph@isec.pl>
    Date: January 5, 2004


    Issue:
    ======

    A critical security vulnerability has been found in the Linux kernel memory management code in mremap(2) system call due to incorrect bound checks.


    Details:
    ========

    The mremap system call provides functionality of resizing (shrinking or growing) as well as moving across process's addressable space of existing virtual memory areas (VMAs) or any of its parts.

    A typical VMA covers at least one memory page (which is exactly 4kB on the i386 architecture). An incorrect bound check discovered inside the do_mremap() kernel code performing remapping of a virtual memory area may lead to creation of a virtual memory area of 0 bytes length.

    The problem bases on the general mremap flaw that remapping of 2 pages from inside a VMA creates a memory hole of only one page in length but an additional VMA of two pages. In the case of a zero sized remapping request no VMA hole is created but an additional VMA descriptor of 0 bytes in length is created.

    Such a malicious virtual memory area may disrupt the operation of other parts of the kernel memory management subroutines finally leading to unexpected behavior.

    A typical process's memory layout showing invalid VMA created with mremap system call:

    08048000-0804c000 r-xp 00000000 03:05 959142 /tmp/test
    0804c000-0804d000 rw-p 00003000 03:05 959142 /tmp/test
    0804d000-0804e000 rwxp 00000000 00:00 0
    40000000-40014000 r-xp 00000000 03:05 1544523 /lib/ld-2.3.2.so
    40014000-40015000 rw-p 00013000 03:05 1544523 /lib/ld-2.3.2.so
    40015000-40016000 rw-p 00000000 00:00 0
    4002c000-40158000 r-xp 00000000 03:05 1544529 /lib/libc.so.6
    40158000-4015d000 rw-p 0012b000 03:05 1544529 /lib/libc.so.6
    4015d000-4015f000 rw-p 00000000 00:00 0[*] 60000000-60000000 rwxp 00000000 00:00 0
    bfffe000-c0000000 rwxp fffff000 00:00 0

    The broken VMA in the above example has been marked with a[*].


    Impact:
    =======

    Since no special privileges are required to use the mremap(2) system call any process may misuse its unexpected behavior to disrupt the kernel memory management subsystem. Proper exploitation of this vulnerability may lead to local privilege escalation including execution of arbitrary code with kernel level access. Proof-of-concept exploit code has been created and successfully tested giving UID 0 shell on vulnerable systems.

    The exploitability of the discovered vulnerability is possible, although not a trivial one. We have identified at least two different attack vectors for the 2.4 kernel series. All users are encouraged to patch all vulnerable systems as soon as appropriate vendor patches are released.


    Credits:
    ========

    Paul Starzetz <ihaquer@isec.pl> has identified the vulnerability and performed further research.


    Disclaimer:
    ===========

    This document and all the information it contains are provided "as is", for educational purposes only, without warranty of any kind, whether express or implied.

    The authors reserve the right not to be responsible for the topicality, correctness, completeness or quality of the information provided in this document. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected.
    I would think all the major vendors will be releasing a patch or upgrade very soon.

    I see the new kernel on the Slackware site already - now just to wait a little while for my favourite mirror to update and let swaret take care of the rest.

    Kernel 2.4.24 update this evening - now that was a quick turn around by Slackware
    Reply With Quote Reply With Quote
  3. January 7th, 2004, 02:25 AM #3
    pooh sun tzu
    pooh sun tzu is offline
    Banned
    Join Date
    Jan 2004
    Posts
    881
    -runs an emerge sync-

    Wow, you guys were a day ahead of me. Thanks for helping me catch that update, and glad to see people posting informative news!
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules