[AG-TECH] Fwd: Linux kernel IGMP vulnerabilities

Markus Buchhorn Markus.Buchhorn at anu.edu.au
Wed Dec 22 04:58:36 CST 2004


For info... Since many of us here are interested in multicast, it's slightly relevant :-) 

>===========================================================================
>             AUSCERT External Security Bulletin Redistribution
>
>            ESB-2004.0812 -- Linux kernel IGMP vulnerabilities
>                             22 December 2004
>
>===========================================================================
>
>        AusCERT Security Bulletin Summary
>        ---------------------------------
>
>Product:           Linux kernel 2.4 version 2.4.28 and prior
>                   Linux kernel 2.6 version 2.6.9 and prior
>Operating System:  Linux variants
>Impact:            Root Compromise
>                   Access Confidential Data
>                   Denial of Service
>Access:            Existing Account
>                   Remote/Unauthenticated
>CVE Names:         CAN-2004-1137
>
>- --------------------------BEGIN INCLUDED TEXT--------------------
>
>PROBLEM:  
>
>        Two vulnerabilities in the IGMP (Internet Group Management Protocol) 
>        code in the Linux kernel allow local privillege elevation and remote
>        denial of service under conditions described below.
>
>        1. The ip_mc_source() function is part of the user API for IGMP. Due to
>           an incorrectly validated parameter, a program running as an 
>           unprivelleged user is able to overwrite kernel memory.
>
>        2. When an IGMP group query packet is accepted from the network, its 
>           contents are not validated properly, allowing a malformed packet to
>           cause remote denial of service.
>
>
>VERSIONS:
>
>        2.6 kernel versions 2.6.9 and prior are vulnerable.
>        2.4 kernel versions 2.4.28 and prior are also vulnerable.
>        2.2.x kernels are not vulnerable.
>
>
>IMPACT:
>
>        1. On SMP systems, this vulnerability allows executing arbitrary code 
>           in kernel mode, allowing root compromise. 
>
>           On non-SMP systems this is most likely not possible, so the impact
>           is limited to local denial of service.
>
>           This vulnerability in conjunction with the ip_mc_?sfget() functions 
>           also allows reading of blocks of kernel memory, which may contain 
>           sensitive information such as passwords.
>
>        2. The second vulnerability allows remote denial of service, if some 
>           application on the system is using a multicast socket.
>           If the files /proc/net/igmp and /proc/net/mcfilter both exist and
>           are non-empty, then the system is vulnerable to this second 
>           vulnerability.
>
>        More information is available in the original advisory. [1]
>
>
>MITIGATION: 
>
>        No official patch is yet available for this vulnerability. 
>
>        Until a patch is available, AusCERT recommends that system 
>        administrators restrict logon access to vulnerable systems, and 
>        consider adding a firewall rule to block inbound IGMP packets
>        (IP protocol number 2).
>
>
>REFERENCES:
>        
>        [1] Linux kernel IGMP vulnerabilities
>            http://isec.pl/vulnerabilities/isec-0018-igmp.txt


Markus Buchhorn, ANU Internet Futures             |Ph: +61 2 61258810
Markus.Buchhorn at anu.edu.au                        |Fx: +61 2 61259805
The Australian National University, Canberra 0200 |Mob: 0417 281429




More information about the ag-tech mailing list