[AG-TECH] Fwd: Linux kernel IGMP vulnerabilities
Markus Buchhorn
Markus.Buchhorn at anu.edu.au
Wed Dec 22 04:58:36 CST 2004
For info... Since many of us here are interested in multicast, it's slightly relevant :-)
>===========================================================================
> AUSCERT External Security Bulletin Redistribution
>
> ESB-2004.0812 -- Linux kernel IGMP vulnerabilities
> 22 December 2004
>
>===========================================================================
>
> AusCERT Security Bulletin Summary
> ---------------------------------
>
>Product: Linux kernel 2.4 version 2.4.28 and prior
> Linux kernel 2.6 version 2.6.9 and prior
>Operating System: Linux variants
>Impact: Root Compromise
> Access Confidential Data
> Denial of Service
>Access: Existing Account
> Remote/Unauthenticated
>CVE Names: CAN-2004-1137
>
>- --------------------------BEGIN INCLUDED TEXT--------------------
>
>PROBLEM:
>
> Two vulnerabilities in the IGMP (Internet Group Management Protocol)
> code in the Linux kernel allow local privillege elevation and remote
> denial of service under conditions described below.
>
> 1. The ip_mc_source() function is part of the user API for IGMP. Due to
> an incorrectly validated parameter, a program running as an
> unprivelleged user is able to overwrite kernel memory.
>
> 2. When an IGMP group query packet is accepted from the network, its
> contents are not validated properly, allowing a malformed packet to
> cause remote denial of service.
>
>
>VERSIONS:
>
> 2.6 kernel versions 2.6.9 and prior are vulnerable.
> 2.4 kernel versions 2.4.28 and prior are also vulnerable.
> 2.2.x kernels are not vulnerable.
>
>
>IMPACT:
>
> 1. On SMP systems, this vulnerability allows executing arbitrary code
> in kernel mode, allowing root compromise.
>
> On non-SMP systems this is most likely not possible, so the impact
> is limited to local denial of service.
>
> This vulnerability in conjunction with the ip_mc_?sfget() functions
> also allows reading of blocks of kernel memory, which may contain
> sensitive information such as passwords.
>
> 2. The second vulnerability allows remote denial of service, if some
> application on the system is using a multicast socket.
> If the files /proc/net/igmp and /proc/net/mcfilter both exist and
> are non-empty, then the system is vulnerable to this second
> vulnerability.
>
> More information is available in the original advisory. [1]
>
>
>MITIGATION:
>
> No official patch is yet available for this vulnerability.
>
> Until a patch is available, AusCERT recommends that system
> administrators restrict logon access to vulnerable systems, and
> consider adding a firewall rule to block inbound IGMP packets
> (IP protocol number 2).
>
>
>REFERENCES:
>
> [1] Linux kernel IGMP vulnerabilities
> http://isec.pl/vulnerabilities/isec-0018-igmp.txt
Markus Buchhorn, ANU Internet Futures |Ph: +61 2 61258810
Markus.Buchhorn at anu.edu.au |Fx: +61 2 61259805
The Australian National University, Canberra 0200 |Mob: 0417 281429
More information about the ag-tech
mailing list