SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Linux)  >   Kernel execve Vendors:   kernel.org
Linux 2.4 Kernel execve() Access Control Flaw May Let Local Users Access File Descriptors
SecurityTracker Alert ID:  1007249
SecurityTracker URL:  http://securitytracker.com/id/1007249
CVE Reference:   CVE-2003-0476   (Links to External Site)
Updated:  Dec 5 2003
Original Entry Date:  Jul 22 2003
Impact:   Disclosure of system information, Disclosure of user information
Vendor Confirmed:  Yes  
Version(s): 2.4.20
Description:   An access control vulnerability was reported in the Linux 2.4 kernel. A local user may be able to gain access to restricted file descriptors.

It is reported that execve() records the file descriptor of an executable process in the calling process's file table. A local user may be able to gain access to an otherwise restricted file descriptor.

Impact:   A local user may be able to gain read access to file descriptors.
Solution:   It is not clear if an upstream fix is available yet. Fixes for individual kernel distributions are pending. Check the Message History for fixes from various kernel vendors.
Vendor URL:  www.kernel.org/ (Links to External Site)
Cause:   Access control error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 22 2003 (Red Hat Issues Fix) Linux 2.4 Kernel execve() Access Control Flaw May Let Local Users Access File Descriptors
Red Hat has released a fix.
Dec 5 2003 (Conectiva Issues Fix) Linux 2.4 Kernel execve() Access Control Flaw May Let Local Users Access File Descriptors
Conectiva has released a fix.
Dec 19 2003 (Red Hat Issues Fix for RH Enterprise Linux) Linux 2.4 Kernel execve() Access Control Flaw May Let Local Users Access File Descriptors
Red Hat has released a fix.
Dec 19 2003 (Red Hat Issues Fix for IA64 RH Enterprise) Linux 2.4 Kernel execve() Access Control Flaw May Let Local Users Access File Descriptors
Red Hat has released a fix for Red Hat Enterprise Linux IA64 architecture.



 Source Message Contents

Subject:  Linux 2.4 Kernel Vulnerabilities


Red Hat reported the following security vulnerabilities in the Linux 2.4 Kernel:

CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts
for serial links.  This could be used by a local attacker to infer password
lengths and inter-keystroke timings during password entry.

CAN-2003-0462: Paul Starzetz discovered a file read race condition existing
in the execve() system call, which could cause a local crash.

CAN-2003-0464: A recent change in the RPC code set the reuse flag on
newly-created sockets.  Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.

CAN-2003-0476: The execve system call in Linux 2.4.x records the file
descriptor of the executable process in the file table of the calling
process, allowing local users to gain read access to restricted file
descriptors.

CAN-2003-0501: The /proc filesystem in Linux allows local users to obtain
sensitive information by opening various entries in /proc/self before
executing a setuid program.  This causes the program to fail to change the
ownership and permissions of already opened entries.

CAN-2003-0550: The STP protocol is known to have no security, which could
allow attackers to alter the bridge topology.  STP is now turned off by
default.

CAN-2003-0551: STP input processing was lax in its length checking, which
could lead to a denial of service.

CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could
be spoofed by sending forged packets with bogus source addresses the same
as the local host.

Red Hat issued fixed versions based on the 2.4.20 kernel.  It is not clear which upstream 
kernel version(s) contain these fixes.  See the Red Hat advisory RHSA-2003:238-01 for 
information on the Red Hat fixes.





 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC