CERT-In Advisory CIAD-2009-11
Multiple Vulnerabilities in Linux Kernel

Original issue date: March 03, 2009

Severity Rating: Medium

Systems Affected

• Linux Kernel 2.6.27.x prior to 2.6.27.19
• Linux Kernel 2.6.28.x prior to 2.6.28.7

Overview

Multiple vulnerabilities have been reported in Linux Kernel which could allow local attackers to obtain sensitive information, to bypass certain security restrictions or to cause Denial of Service conditions.

1. ‘skfp_ioctl()' Security Bypass Vulnerability
    (CVE-2009-0675)

The ‘skfp_ioctl()' function in drivers/net/skfp/skfddi.c permits SKFP_CLR_STATS requests only when the CAP_NET_ADMIN capability is absent, instead of when this capability is present. A local, unauthenticated attacker could exploit this vulnerability to reset the driver statistics.

2. ‘sock_getsockopt()' Information Disclosure Vulnerability
    (CVE-2009-0676)

The getsockopt() function retrieve options associated to a socket. This function is implemented by the sock_getsockopt() function of the net/core/sock.c file.

This vulnerability is caused by the improper initialization of the sock_getsockopt() function when the SO_BSDCOMPAT option is set. A local attacker could exploit this vulnerability to view portions of kernel memory, disclosing sensitive information, which could be used to launch further attacks on the system.

3. "ext4_group_add ()" Local Denial of Service Vulnerability 
    (CVE-2009-0745)

This vulnerability is caused due to improper initialization of the group descriptor during a resize operation within the “ext4_group_add” function in fs/ext4/resize.c in the Linux kernel. A local attacker could exploit this vulnerability via by arranging for crafted values to be present in available memory to cause a denial of service condition.

4. "make_indexed_dir()" Local Denial of Service     Vulnerability (CVE-2009-0746)

This vulnerability is caused due to improper validation of a certain “rec_len” field within the "make_indexed_dir()" function in fs/ext4/namei.c in the Linux kernel. A local attacker could exploit this vulnerability by mounting a specially crafted Ext4 file system to cause a denial of service condition.

5. “ ext4_isize ()” Local Denial of Service Vulnerability
    (CVE-2009-0747)

This vulnerability is caused due to improper usage of the i_size_high structure member during operations on arbitrary types of files in “ext4_isize” function in fs/ext4/ext4.h in the Linux kernel. A local attacker could exploit this vulnerability by mounting a specially crafted Ext4 file system to cause a denial of service condition.

Solution

Upgrade to Linux Kernel version 2.6.27.19 or 2.6.28.7 or later
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.19
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.7

Vendor Information

kernel.org
http://www.kernel.org/

References

kernel.org
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.19
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.7

ISS X-Force
http://xforce.iss.net/xforce/xfdb/48847
http://xforce.iss.net/xforce/xfdb/48872

Secunia
http://secunia.com/advisories/33938
http://secunia.com/advisories/33977

SecurityFocus
http://www.securityfocus.com/bid/33846

Bugzilla
http://bugzilla.kernel.org/show_bug.cgi?id=12430
http://bugzilla.kernel.org/show_bug.cgi?id=12375
http://bugzilla.kernel.org/show_bug.cgi?id=12371
http://bugzilla.kernel.org/show_bug.cgi?id=12433

VUPEN
http://www.vupen.com/english/advisories/2009/0509

Security Database
http://www.security-database.com/detail.php?alert=CVE-2009-0675
http://www.security-database.com/detail.php?alert=CVE-2009-0676

CVE Name
CVE-2009-0675
CVE-2009-0676
CVE-2009-0745
CVE-2009-0746
CVE-2009-0747
CVE-2009-0748

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003