HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2008-132
Linux Kernel UBIFS Orphan Inode Local Denial of Service Vulnerability

Original Issue Date: August 19, 2008

Severity Rating: Medium

Systems Affected

  • Linux Kernel Versions prior to 2.6.25.15

Overview

A vulnerability has been reported in the VFS implementation in Linux Kernel, which could be exploited by a local attacker to cause a Denial of Service.

Description

This vulnerability is caused due to the an error in the implementation of the ‘real_lookup’ and ‘__lookup_hash’ functions in ‘fs/namei.c’ in the VFS(Virtual File System) implementation in the Linux Kernel. The '->delete_inode()' function may not be properly called in certain cases, causing the child dentry cache for deleted directories to persist on disk. In UBIFS (UBI File System), this is problematic because the orphaned inode area can be overflowed. A local attacker can exploit this issue to cause the kernel to crash, thus causing a Denial of Service.

Solution

 Upgrade to Linux Kernel Version 2.6.25.15 or later.


Vendor Information

 Linux Kernel
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.15 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d70b67c8bc72ee23b55381bd6a884f4796692f77

References

 SecurityFocus
http://www.securityfocus.com/bid/30647/

Juniper Networks
http://www.juniper.net/security/auto/vulnerabilities/vuln30647.html

CVE Name
CVE-2008-3275

CWE Name
 CWE-399

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003