AusCERT - AA-2007.0082 -- [Linux] -- Multiple Linux kernel vulnerabilities

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AA-2007.0082 -- [Linux] -- Multiple Linux kernel vulnerabilities
Date: 27 September 2007
References: ESB-2007.0732 ESB-2007.0733 ESB-2007.0744

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
AA-2007.0082                  AUSCERT Advisory

                                  [Linux]
                   Multiple Linux kernel vulnerabilities
                             27 September 2007
- ---------------------------------------------------------------------------

        AusCERT Advisory Summary
        ------------------------

Product:              kernel
Operating System:     Linux variants
Impact:               Increased Privileges
                      Read-only Data Access
                      Denial of Service
Access:               Existing Account
CVE Names:            CVE-2007-0997 CVE-2007-4571 CVE-2007-4573
                      CVE-2007-5087
Member content until: Thursday, October 25 2007


OVERVIEW:
        
        There have been recent announcements of several vulnerabilities in 
        the Linux kernel. The most serious of the vulnerabilities may result
        in local privilege escalation.


IMPACT: 

        The National Vulnerability Database [1], gives the following 
        information regarding these vulnerabilities:

         o CVE-2007-0997: "Race condition in the tee (sys_tee) system call 
           in the Linux kernel 2.6.17 through 2.6.17.6 might allow local 
           users to cause a denial of service (system crash), obtain 
           sensitive information (kernel memory contents), or gain privileges 
           via unspecified vectors related to a potentially dropped ipipe 
           lock during a race between two pipe readers."[2]

         o CVE-2007-4571: "The snd_mem_proc_read function in 
           sound/core/memalloc.c in the Advanced Linux Sound Architecture 
           (ALSA) in the Linux kernel before 2.6.22.8 does not return the 
           correct write size, which allows local users to obtain sensitive 
           information (kernel memory contents) via a small count argument, 
           as demonstrated by multiple reads of /proc/driver/snd-page-alloc."
           [3]. iDefense have also published an advisory [4] regarding this 
           vulnerability.

         o CVE-2007-4573: "The IA32 system call emulation functionality in 
           Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the 
           x86_64 architecture, does not zero extend the eax register after 
           the 32bit entry path to ptrace is used, which might allow local 
           users to gain privileges by triggering an out-of-bounds access to 
           the system call table using the %RAX register."[5]

         o CVE-2007-5087: "The ATM module in the Linux kernel before 2.4.35.3, 
           when CLIP support is enabled, allows local users to cause a denial 
           of service (kernel panic) by reading /proc/net/atm/arp before the 
           CLIP module has been loaded."


MITIGATION:

        Upgrade to the current stable kernel versions: 2.4.35.3 and 2.6.22.9.


REFERENCES:

        [1] National Vulnerability Database
            http://nvd.nist.gov/

        [2] National Vulnerability Database (CVE-2007-0997)
            http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0997

        [3] National Vulnerability Database (CVE-2007-4571)
            http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4571

        [4] Linux Kernel ALSA snd_mem_proc_read Information Disclosure 
            Vulnerability
            http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=600

        [5] National Vulnerability Database (CVE-2007-4573)
            http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4573

        [6] National Vulnerability Database (CVE-2007-5087)
            http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5087


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRvr6DCh9+71yA2DNAQKUaAP/YRlcdkbxlXEmXT78ctbSTg9baz3LqC3h
Mc/AsZqFdO2zDZTf4az6sVqvwZwMWMl8yzOLo7QaYu1W6L5z5owDGmugeoWUjdgK
ICP1Q79w+GDCwGsOb9OrXqy4x/Tgtsv+xz4uozfVVROKh83ejUc2ARkXFGuWNnC4
MczYV3e0cfk=
=nwKu
-----END PGP SIGNATURE-----