- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200407-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                             https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

   Severity: High
      Title: Linux Kernel: Multiple DoS and permission vulnerabilities
       Date: July 22, 2004
       Bugs: #56171, #56479
         ID: 200407-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=======
Multiple permission vulnerabilities have been found in the Linux
kernel, allowing an attacker to change the group IDs of files mounted
on a remote filesystem (CAN-2004-0497), as well as an issue in 2.6
series kernels which allows /proc permissions to be bypassed.

A context sharing vulnerability in vserver-sources is also handled by
this advisory as well as CAN-2004-0447, CAN-2004-0496 and
CAN-2004-0565. Patched, or updated versions of these kernels have been
released and details are included along with this advisory.

Background
=========
The Linux kernel is responsible for managing the core aspects of a
GNU/Linux system, providing an interface for core system applications
as well as providing the essential structure and capability to access
hardware that is needed for a running system.

Affected packages
================
     -------------------------------------------------------------------
      Kernel                 /      Unaffected      /           Remerge
     -------------------------------------------------------------------
   1  aa-sources ................. *>= 2.4.23-r2 .................. YES
      ............................. >= 2.6.5-r5 ................... YES
   2  alpha-sources .............. >= 2.4.21-r9 .......................
   3  ck-sources ................. *>= 2.4.26-r1 .................. YES
      ............................. >= 2.6.7-r5 ................... YES
   4  compaq-sources ........... >= 2.4.9.32.7-r8 .....................
   5  development-sources ........ >= 2.6.8_rc1 .......................
   6  gentoo-dev-sources .......... >= 2.6.7-r8 .......................
   7  gentoo-sources ............ *>= 2.4.19-r18 ......................
      ........................... *>= 2.4.20-r21 ......................
      ........................... *>= 2.4.22-r13 ......................
      ............................ *>= 2.4.25-r6 ......................
      ............................ >= 2.4.26-r5 .......................
   8  grsec-sources ............ >= 2.4.26.2.0-r6 .....................
   9  gs-sources ............... >= 2.4.25_pre7-r8 ....................
  10  hardened-dev-sources ........ >= 2.6.7-r2 .......................
  11  hardened-sources ........... >= 2.4.26-r3 .......................
  12  hppa-dev-sources .......... >= 2.6.7_p1-r2 ......................
  13  hppa-sources .............. >= 2.4.26_p6-r1 .....................
  14  ia64-sources ............... >= 2.4.24-r7 .......................
  15  mm-sources .................. >= 2.6.7-r6 .......................
  16  openmosix-sources .......... >= 2.4.22-r11 ......................
  17  pac-sources ................ >= 2.4.23-r9 .......................
  18  planet-ccrma-sources ....... >= 2.4.21-r11 ......................
  19  pegasos-dev-sources ......... >= 2.6.7-r2 .......................
  20  pegasos-sources ............ >= 2.4.26-r3 .......................
  21  ppc-sources ................ >= 2.4.26-r3 .......................
  22  rsbac-sources .............. >= 2.4.26-r3 .......................
  23  rsbac-dev-sources ........... >= 2.6.7-r2 .......................
  24  selinux-sources ............ >= 2.4.26-r2 ................... YES
  25  sparc-sources .............. >= 2.4.26-r3 .......................
  26  uclinux-sources .......... *>= 2.4.26_p0-r3 .....................
      ........................... >= 2.6.7_p0-r2 ......................
  27  usermode-sources ........... *>= 2.4.24-r6 ......................
      ............................ *>= 2.4.26-r3 ......................
      ............................. >= 2.6.6-r4 .......................
  28  vserver-sources .......... >= 2.4.26.1.28-r1 ....................
  29  win4lin-sources ............ *>= 2.4.26-r3 ......................
      ............................. >= 2.6.7-r2 .......................
  30  wolk-sources ................ *>= 4.9-r10 .......................
      ............................. *>= 4.11-r7 .......................
      ............................. >= 4.14-r4 ........................
  31  xbox-sources ............... *>= 2.4.26-r3 ......................
      ............................. >= 2.6.7-r2 .......................
  32  mips-sources ................ Vulnerable! .......................
  33  vanilla-sources ............. Vulnerable! .......................
     -------------------------------------------------------------------
      NOTE: Some kernels are still vulnerable. Users should migrate to
            another kernel if one is available or seek another
            solution such as patching their existing kernel.
     -------------------------------------------------------------------
      NOTE: Packages marked with "Remerge" as "YES" require a re-merge
            even though Portage does not indicate a newer version!
     -------------------------------------------------------------------
      33 affected packages on all of their supported architectures.
     -------------------------------------------------------------------

Description
==========
The Linux kernel allows a local attacker to mount a remote file system
on a vulnerable Linux host and modify files' group IDs. On 2.4 series
kernels this vulnerability only affects shared NFS file systems. This
vulnerability has been assigned CAN-2004-0497 by the Common
Vulnerabilities and Exposures project.

Also, a flaw in the handling of /proc attributes has been found in 2.6
series kernels; allowing the unauthorized modification of /proc
entries, especially those which rely solely on file permissions for
security to vital kernel parameters.

An issue specific to the VServer Linux sources has been found, by which
/proc related changes in one virtual context are applied to other
contexts as well, including the host system.

CAN-2004-0447 resolves a local DoS vulnerability on IA64 platforms
which can cause unknown behavior and CAN-2004-0565 resolves a floating
point information leak on IA64 platforms by which registers of other
processes can be read by a local user.

Finally, CAN-2004-0496 addresses some more unknown vulnerabilities in
2.6 series Linux kernels older than 2.6.7 which were found by the
Sparse source code checking tool.

Impact
=====
Bad Group IDs can possibly cause a Denial of Service on parts of a host
if the changed files normally require a special GID to properly
operate. By exploiting this vulnerability, users in the original file
group would also be blocked from accessing the changed files.

The /proc attribute vulnerability allows local users with previously no
permissions to certain /proc entries to exploit the vulnerability and
then gain read, write and execute access to entries.

These new privileges can be used to cause unknown behaviour ranging
from reduced system performance to a Denial of Service by manipulating
various kernel options which are usually reserved for the superuser.
This flaw might also be used for opening restrictions set through /proc
entries, allowing further attacks to take place through another
possibly unexpected attack vector.

The VServer issue can also be used to induce similar unexpected
behaviour to other VServer contexts, including the host. By successful
exploitation, a Denial of Service for other contexts can be caused
allowing only root to read certain /proc entries. Such a change would
also be replicated to other contexts, forbidding normal users on those
contexts to read /proc entries which could contain details needed by
daemons running as a non-root user, for example.

Additionally, this vulnerability allows an attacker to read information
from another context, possibly hosting a different server, gaining
critical information such as what processes are running. This may be
used for furthering the exploitation of either context.

CAN-2004-0447 and CAN-2004-0496 permit various local unknown Denial of
Service vulnerabilities with unknown impacts - these vulnerabilities
can be used to possibly elevate privileges or access reserved kernel
memory which can be used for further exploitation of the system.

CAN-2004-0565 allows FPU register values of other processes to be read
by a local user setting the MFH bit during a floating point operation -
since no check was in place to ensure that the FPH bit was owned by the
requesting process, but only an MFH bit check, an attacker can simply
set the MFH bit and access FPU registers of processes running as other
users, possibly those running as root.

Workaround
=========
2.4 users may not be affected by CAN-2004-0497 if they do not use
remote network filesystems and do not have support for any such
filesystems in their kernel configuration. All 2.6 users are affected by 
the /proc attribute issue and the only known workaround is to disable 
/proc support.

The VServer flaw applies only to vserver-sources, and no workaround is 
currently known for the issue. There is no known fix to CAN-2004-0447, 
CAN-2004-0496 or CAN-2004-0565 other than to upgrade the kernel to a 
patched version.

As a result, all users affected by any of these vulnerabilities should
upgrade their kernels to ensure the integrity of their systems.

Resolution
=========
Users are encouraged to upgrade to the latest available sources for
their system:

     # emerge sync

     # emerge -pv your-favorite-sources
     # emerge your-favorite-sources

     # # Follow usual procedure for compiling and installing a kernel.
     # # If you use genkernel, run genkernel as you would do normally.

References
=========
   [ 1 ] CAN-2004-0447
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0447
   [ 2 ] CAN-2004-0496
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0496
   [ 3 ] CAN-2004-0497
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0497
   [ 4 ] CAN-2004-0565
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0565
   [ 5 ] VServer /proc Context Vulnerability
         
Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

     https://security.gentoo.org/glsa/200407-16

Concerns?
========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org/.

License
======
Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/1.0/

Gentoo: GLSA-200407-16: Linux Kernel: Multiple DoS and permission vulnerabilities

Multiple permission vulnerabilities have been found in the Linux kernel, allowing an attacker to change the group IDs of files mounted on a remote filesystem (CAN-2004-0497), as we...

Summary

Gentoo Linux Security Advisory GLSA 200407-16 https://security.gentoo.org/ Severity: High Title: Linux Kernel: Multiple DoS and permission vulnerabilities Date: July 22, 2004 Bugs: #56171, #56479 ID: 200407-16

Synopsis ======= Multiple permission vulnerabilities have been found in the Linux kernel, allowing an attacker to change the group IDs of files mounted on a remote filesystem (CAN-2004-0497), as well as an issue in 2.6 series kernels which allows /proc permissions to be bypassed.
A context sharing vulnerability in vserver-sources is also handled by this advisory as well as CAN-2004-0447, CAN-2004-0496 and CAN-2004-0565. Patched, or updated versions of these kernels have been released and details are included along with this advisory.
Background ========= The Linux kernel is responsible for managing the core aspects of a GNU/Linux system, providing an interface for core system applications as well as providing the essential structure and capability to access hardware that is needed for a running system.
Affected packages ================ ------------------------------------------------------------------- Kernel / Unaffected / Remerge ------------------------------------------------------------------- 1 aa-sources ................. *>= 2.4.23-r2 .................. YES ............................. >= 2.6.5-r5 ................... YES 2 alpha-sources .............. >= 2.4.21-r9 ....................... 3 ck-sources ................. *>= 2.4.26-r1 .................. YES ............................. >= 2.6.7-r5 ................... YES 4 compaq-sources ........... >= 2.4.9.32.7-r8 ..................... 5 development-sources ........ >= 2.6.8_rc1 ....................... 6 gentoo-dev-sources .......... >= 2.6.7-r8 ....................... 7 gentoo-sources ............ *>= 2.4.19-r18 ...................... ........................... *>= 2.4.20-r21 ...................... ........................... *>= 2.4.22-r13 ...................... ............................ *>= 2.4.25-r6 ...................... ............................ >= 2.4.26-r5 ....................... 8 grsec-sources ............ >= 2.4.26.2.0-r6 ..................... 9 gs-sources ............... >= 2.4.25_pre7-r8 .................... 10 hardened-dev-sources ........ >= 2.6.7-r2 ....................... 11 hardened-sources ........... >= 2.4.26-r3 ....................... 12 hppa-dev-sources .......... >= 2.6.7_p1-r2 ...................... 13 hppa-sources .............. >= 2.4.26_p6-r1 ..................... 14 ia64-sources ............... >= 2.4.24-r7 ....................... 15 mm-sources .................. >= 2.6.7-r6 ....................... 16 openmosix-sources .......... >= 2.4.22-r11 ...................... 17 pac-sources ................ >= 2.4.23-r9 ....................... 18 planet-ccrma-sources ....... >= 2.4.21-r11 ...................... 19 pegasos-dev-sources ......... >= 2.6.7-r2 ....................... 20 pegasos-sources ............ >= 2.4.26-r3 ....................... 21 ppc-sources ................ >= 2.4.26-r3 ....................... 22 rsbac-sources .............. >= 2.4.26-r3 ....................... 23 rsbac-dev-sources ........... >= 2.6.7-r2 ....................... 24 selinux-sources ............ >= 2.4.26-r2 ................... YES 25 sparc-sources .............. >= 2.4.26-r3 ....................... 26 uclinux-sources .......... *>= 2.4.26_p0-r3 ..................... ........................... >= 2.6.7_p0-r2 ...................... 27 usermode-sources ........... *>= 2.4.24-r6 ...................... ............................ *>= 2.4.26-r3 ...................... ............................. >= 2.6.6-r4 ....................... 28 vserver-sources .......... >= 2.4.26.1.28-r1 .................... 29 win4lin-sources ............ *>= 2.4.26-r3 ...................... ............................. >= 2.6.7-r2 ....................... 30 wolk-sources ................ *>= 4.9-r10 ....................... ............................. *>= 4.11-r7 ....................... ............................. >= 4.14-r4 ........................ 31 xbox-sources ............... *>= 2.4.26-r3 ...................... ............................. >= 2.6.7-r2 ....................... 32 mips-sources ................ Vulnerable! ....................... 33 vanilla-sources ............. Vulnerable! ....................... ------------------------------------------------------------------- NOTE: Some kernels are still vulnerable. Users should migrate to another kernel if one is available or seek another solution such as patching their existing kernel. ------------------------------------------------------------------- NOTE: Packages marked with "Remerge" as "YES" require a re-merge even though Portage does not indicate a newer version! ------------------------------------------------------------------- 33 affected packages on all of their supported architectures. -------------------------------------------------------------------
========== The Linux kernel allows a local attacker to mount a remote file system on a vulnerable Linux host and modify files' group IDs. On 2.4 series kernels this vulnerability only affects shared NFS file systems. This vulnerability has been assigned CAN-2004-0497 by the Common Vulnerabilities and Exposures project.
Also, a flaw in the handling of /proc attributes has been found in 2.6 series kernels; allowing the unauthorized modification of /proc entries, especially those which rely solely on file permissions for security to vital kernel parameters.
An issue specific to the VServer Linux sources has been found, by which /proc related changes in one virtual context are applied to other contexts as well, including the host system.
CAN-2004-0447 resolves a local DoS vulnerability on IA64 platforms which can cause unknown behavior and CAN-2004-0565 resolves a floating point information leak on IA64 platforms by which registers of other processes can be read by a local user.
Finally, CAN-2004-0496 addresses some more unknown vulnerabilities in 2.6 series Linux kernels older than 2.6.7 which were found by the Sparse source code checking tool.
Impact ===== Bad Group IDs can possibly cause a Denial of Service on parts of a host if the changed files normally require a special GID to properly operate. By exploiting this vulnerability, users in the original file group would also be blocked from accessing the changed files.
The /proc attribute vulnerability allows local users with previously no permissions to certain /proc entries to exploit the vulnerability and then gain read, write and execute access to entries.
These new privileges can be used to cause unknown behaviour ranging from reduced system performance to a Denial of Service by manipulating various kernel options which are usually reserved for the superuser. This flaw might also be used for opening restrictions set through /proc entries, allowing further attacks to take place through another possibly unexpected attack vector.
The VServer issue can also be used to induce similar unexpected behaviour to other VServer contexts, including the host. By successful exploitation, a Denial of Service for other contexts can be caused allowing only root to read certain /proc entries. Such a change would also be replicated to other contexts, forbidding normal users on those contexts to read /proc entries which could contain details needed by daemons running as a non-root user, for example.
Additionally, this vulnerability allows an attacker to read information from another context, possibly hosting a different server, gaining critical information such as what processes are running. This may be used for furthering the exploitation of either context.
CAN-2004-0447 and CAN-2004-0496 permit various local unknown Denial of Service vulnerabilities with unknown impacts - these vulnerabilities can be used to possibly elevate privileges or access reserved kernel memory which can be used for further exploitation of the system.
CAN-2004-0565 allows FPU register values of other processes to be read by a local user setting the MFH bit during a floating point operation - since no check was in place to ensure that the FPH bit was owned by the requesting process, but only an MFH bit check, an attacker can simply set the MFH bit and access FPU registers of processes running as other users, possibly those running as root.
Workaround ========= 2.4 users may not be affected by CAN-2004-0497 if they do not use remote network filesystems and do not have support for any such filesystems in their kernel configuration. All 2.6 users are affected by the /proc attribute issue and the only known workaround is to disable /proc support.
The VServer flaw applies only to vserver-sources, and no workaround is currently known for the issue. There is no known fix to CAN-2004-0447, CAN-2004-0496 or CAN-2004-0565 other than to upgrade the kernel to a patched version.
As a result, all users affected by any of these vulnerabilities should upgrade their kernels to ensure the integrity of their systems.
Resolution ========= Users are encouraged to upgrade to the latest available sources for their system:
# emerge sync
# emerge -pv your-favorite-sources # emerge your-favorite-sources
# # Follow usual procedure for compiling and installing a kernel. # # If you use genkernel, run genkernel as you would do normally.
References ========= [ 1 ] CAN-2004-0447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0447 [ 2 ] CAN-2004-0496 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0496 [ 3 ] CAN-2004-0497 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0497 [ 4 ] CAN-2004-0565 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0565 [ 5 ] VServer /proc Context Vulnerability
Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/200407-16
Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org/.
License ====== Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/1.0/

Resolution

References

Availability

Concerns

Severity

Synopsis

Background

Affected Packages

Impact

Workaround

Related News

Linux Mint 22: Elevating Security and Usability for Admins
3 - 5 min read
Linux Mint has has long been recognized as a versatile and user-friendly distribution and has earned great popularity among administrators and
Exim 4.98 Addresses Critical Vulnerabilities, Bolsters Email Server Security
2 - 4 min read
Exim is one of Unix-like systems' most widely used mail transfer agents. It's essential for email delivery and handling and is a significant part of
Recent OpenSSH RCE Bug Explained: Impact & Mitigations
2 - 4 min read
In an era where cybersecurity threats loom larger than ever, the discovery of a Remote Code Execution (RCE) vulnerability in OpenSSH by Qualys’
CVE-2024-4577: A Swiftly Weaponized Vulnerability for Ransomware Distribution
2 - 4 min read
Security researchers recently issued an update detailing how attackers are exploiting a PHP code execution vulnerability to spread TellYouThePass
Play Ransomware Group Unleashes New Threat on ESXi Environments: Analysis & Mitigation Strategies
3 - 5 min read
The Play ransomware group, well-known for its double-extortion tactics, recently unveiled a Linux variant targeting ESXi environments. This
Critical Linux Kernel Vulnerabilities Patched in Ubuntu Azure Systems
2 - 4 min read
Canonical has fixed several recently identified critical Linux kernel vulnerabilities in July 2024. These vulnerabilities primarily affect Microsoft
The Urgent Need for Secure Software Development: New Report Serves as a Wake-Up Call for the Industry
3 - 5 min read
The Linux Foundation and Open Source Security Foundation recently published a report entitled "Secure Software Development Education 2024
Severe Linux Kernel Privilege Escalation Bugs Could Compromise Entire Systems
2 - 4 min read
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved