-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2011-0021 Multiple Linux Kernel Vulnerabilities [1,2,3] Version history: 25.11.2011 Initial publication Summary ======= Linux kernel is prone to multiple 'hardlink' stack-based buffer-overflow vulnerabilities [1] and multiple integer-overflow vulnerabilities [2] because of a failure to properly bounds check user-supplied input. Specifically, hardlink fails to properly handle deeply nested directories. Attackers may leverage these issues to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. The Linux Kernel is also prone to an unauthorized-access vulnerability [3]. This issue occurs because the 'kvm_vm_ioctl_assign_device()' function failed to check user requesting assignment's privileges. An attacker with authenticated access to the affected application can exploit this issue to load arbitrary modules on the affected computer. Failed exploit attempts will cause a denial-of-service condition. CVE CVE-2011-3630(Candidate)[1] Severity Level[2]: CVSS2 Base 6.8 Remote Yes Local No Credibility Vendor Confirmed Ease No Exploit Available Authentication Required CVE CVE-2011-3631(Candidate)[2] Severity Level[2]: CVSS2 Base 6.8 Remote Yes Local No Credibility Vendor Confirmed Ease No Exploit Available Authentication Not Required CVE CVE-2011-4347(Candidate)[3] Severity Level[2]: CVSS2 Base 6.5 Remote Yes Local No Credibility Vendor Confirmed Ease Exploits Available Authentication Required Potential impact ================ Scenario 1: (CVE-2011-3630 and CVE-2011-3631) 1. An attacker creates a directory tree designed to leverage the issue and to perform some action on their behalf. 2. The attacker sends the information to an unsuspecting victim and entices them to run the hardlink program on the tree. 3. The application fails to properly handle the malformed data, and a buffer is overflowed. A successful exploit will result in attacker-supplied code running with the privileges of the victim. Scenario 1: (CVE-2011-4347) 1. An attacker locates a computer running a vulnerable version of the application. 2. The attacker acquires authenticated access to the affected application as a user '/dev/kvm' being set to 666. 3. The attacker retains this capability and can then perform privileged actions on the vulnerable system. Successful exploits may lead to other attacks. Vulnerable Systems ================== Among others: Linux kernel 2.4.x.x - 2.6.x.x (see references for details [1,2,3]) What can you do? ================ Solutions: Fixes are available. What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] https://bugzilla.redhat.com/show_bug.cgi?id=746709 [2] https://bugzilla.redhat.com/show_bug.cgi?id=746710 [3] https://bugzilla.redhat.com/show_bug.cgi?id=756084 Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJOz42pOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4Oqrg/9ES6miQUv lVrGjLStt7e/JOGHSS0YrcIKMxUZ1BDT8tX9lptr1uu3aSr7M1xoyo92o7yVazc3 0lCnX1pyz8mITTjhpSSQrFz+VVuvdB4iIwflq4NIB+NJjXj1E1oNHXAPY6e1dqBv o0TtP8sXslCOWve67sJhbH5Xnc1hQTYu9Y2Wx2ykkur7+LAJId3jPm+v9lgFTHNd uT8PuBFJF438yHbK10/TmnTMlwRoxEgBlSs4lw/VH7uhK8GgeAxOp83j78fkHtJ8 LenAAPntILfqWxhFh92ldYhXWkmnhKdfgTANriRWpVlL1Nn+sVeFSkWJYFZK12av YNwytIQY2ADGmh0VSDxu47io2JJf7gT53rXcCl9wx5i9nnvO/4JxGj3PPvhAWi7k i/VgvntTlGIBSULdSQhokIaSHsxb12GZFRNFZqoGRYt1OFHvWdvWr6ZJVtSsQ+mJ tyXeMTGfziGKw7z1AbLN5Tq8UNUAxwe5X4omoOIQCZ5W0DBvp5txzjytBU9LHCFS OIg/7G5ga2oYYJjzPKcJdW8jThJ0ApS/3tzqzy0rEry41F4Oc2KpDIQ4tFQOJl60 unwJRAnv9xbA56Lmw5fn3w+WWQW2Lycxf+O6OJIJuJiFAsyRY4u1Ype+H3x5b8Gm 74qrN8mwa3waaAPmm9mPDfhcHJFokP93Wxw= =39+z -----END PGP SIGNATURE-----