CERT-In Advisory CIAD-2009-25
Multiple Vulnerabilities in Linux Kernel

Original issue date: May 15, 2009

Severity Rating: High

Systems Affected

• Linux Kernel 2.6.x

Overview


Multiple vulnerabilities has been reported in Linux Kernel, which could allow attackers to potentially gain escalated privileges, bypass security restrictions, obtain sensitive information or to cause Denial of Service conditions.

1. SELinux Subsystem Local Security Restriction Bypass     Vulnerability (CVE-2009-1184)
This vulnerability is caused due to an error in selinux_ip_postroute_iptables_compat function in security/selinux/hooks.c file of SELinux subsystem in the Linux kernel before 2.6.27.22, and 2.6.28.x before 2.6.28.10. This could allow local users to bypass intended restrictions on network traffic.

2. AGP subsystem Local Information Disclosure Vulnerability     (CVE-2009-1192)
This vulnerability is caused due to an error in drivers/char/agp/generic.c file of AGP subsystem in Linux kernel before 2.6.30-rc3. AGP subsystem does not properly zero out pages that may later be available to a user-space process. This could allow local users to obtain sensitive information by reading these pages.

3. NFS Memory Initialization Local Denial of Service     Vulnerability (CVE-2009-1336)
This vulnerability is caused due to improper initialization of a maximum NFS filename length field in the "nfs_server" structure in 'fs/nfs/client.c' in the Linux kernel before 2.6.23. An unprivileged local user could exploit this vulnerability to cause a denial of service condition via a long filename, related to the ‘encode_lookup()' function.

4. CIFS nativeFileSystem Field Buffer Overflow Vulnerability     (CVE-2009-1439)
This vulnerability is caused due to an error in handling an SMB mount request in the "CIFSTCon()" function in 'fs/cifs/connect.c' in the Linux kernel 2.6.29 and earlier. A remote attacker could exploit this vulnerability via a specially crafted long nativeFileSystem field in a Tree Connect response to an SMB mount request to trigger Buffer Overflow error. Successful exploitation of this vulnerability could allow a remote attacker to cause a denial of service condition or potentially compromise a vulnerable system.

Solution

Upgrade to appropriate version of Linux Kernel
http://www.kernel.org/


Vendor Information

kernel.org
http://www.kernel.org/

References

kernel.org
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.27.y.git;a=commit;h=910c9e41186762de3717baaf392ab
5ff0c454496
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog
-2.6.30-rc1
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=59de2bebabc5027f93df999d59cc65df591c3e6e
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.29.y.git;a=commitdiff;h=15bd8021d870d2c4fbf8c16578d72d03c
fddd3a7
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog
-2.6.30-rc4

Red Hat
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1192
https://bugzilla.redhat.com/show_bug.cgi?id=494074

SecurityTracker
http://securitytracker.com/alerts/2009/May/1022176.html
http://securitytracker.com/alerts/2009/May/1022160.html

Secunia
http://www.securityfocus.com/bid/34673
http://secunia.com/advisories/27555/
http://secunia.com/advisories/34981
http://secunia.com/advisories/35011
http://secunia.com/advisories/34977

SecurityFocus
http://www.securityfocus.com/bid/34390
http://www.securityfocus.com/bid/34799/

VUPEN
http://www.vupen.com/english/advisories/2009/1260
http://www.vupen.com/english/advisories/2009/0974
http://www.vupen.com/english/advisories/2009/1236

CVE Name
CVE-2009-1184
CVE-2009-1192
CVE-2009-1336
CVE-2009-1439
CVE-2009-1527

CWE Name
CWE-16
CWE-20
CWE-119
CWE-362

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003