__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Red Hat Updated 2.4 Kernel Fixes Vulnerabilities [Red Hat Security Advisory RHSA-2003:238-14] July 21, 2003 23:00 GMT Number N-122 ______________________________________________________________________________ PROBLEM: There are several security vulnerabilities affecting the Linux kernel. PLATFORM: Red Hat Linux 7.1, 7.2, 7.3, 8.0, 9 DAMAGE: Two of the most serious vulnerabilites are: 1) The /proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer password lengths and inter-keystroke timings during password entry. 2) The /proc filesystem allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program. This causes the program to fail to change the ownership and permissions of already opened entries. SOLUTION: Apply updated kernel packages as stated in Red Hat's advisory. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The vulnerabilities may allow local users ASSESSMENT: to obtain sensitive information. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-122.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2003-238.html ______________________________________________________________________________ [***** Start Red Hat Security Advisory RHSA-2003:238-14 *****] Updated 2.4 kernel fixes vulnerabilities Advisory: RHSA-2003:238-14 Last updated on: 2003-07-21 Affected Products: Red Hat Linux 7.1 Red Hat Linux 7.2 Red Hat Linux 7.3 Red Hat Linux 8.0 Red Hat Linux 9 CVEs (cve.mitre.org): CAN-2003-0461 CAN-2003-0462 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 Security Advisory Details: Updated kernel packages are now available fixing several security vulnerabilities. The Linux kernel handles the basic functions of the operating system. Several security issues have been discovered affecting the Linux kernel: CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer password lengths and inter-keystroke timings during password entry. CAN-2003-0462: Paul Starzetz discovered a file read race condition existing in the execve() system call, which could cause a local crash. CAN-2003-0464: A recent change in the RPC code set the reuse flag on newly-created sockets. Olaf Kirch noticed that his could allow normal users to bind to UDP ports used for services such as nfsd. CAN-2003-0476: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, allowing local users to gain read access to restricted file descriptors. CAN-2003-0501: The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program. This causes the program to fail to change the ownership and permissions of already opened entries. CAN-2003-0550: The STP protocol is known to have no security, which could allow attackers to alter the bridge topology. STP is now turned off by default. CAN-2003-0551: STP input processing was lax in its length checking, which could lead to a denial of service. CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could be spoofed by sending forged packets with bogus source addresses the same as the local host. All users are advised to upgrade to these errata packages, which contain backported security patches correcting these vulnerabilities. Important: If you use Red Hat Linux 7.1, you must have installed quota-3.06-9.71 from RHSA-2003-187, and if you use Red Hat Linux 7.2 or 7.3, you must have installed quota-3.06-9.7 from RHSA-2003-187. Updated packages: Red Hat Linux 7.1 -------------------------------------------------------------------------------- SRPMS: kernel-2.4.20-19.7.src.rpm [ via FTP ] [ via HTTP ] 698d00bb8d014e20e717b554aa582bf5 athlon: kernel-2.4.20-19.7.athlon.rpm [ via FTP ] [ via HTTP ] 41a8c2599df485a6299bcde0a25ae284 kernel-smp-2.4.20-19.7.athlon.rpm [ via FTP ] [ via HTTP ] dc872a77835fc0fd81d54905ba979183 i386: kernel-2.4.20-19.7.i386.rpm [ via FTP ] [ via HTTP ] 41e4f2992c6beaf0a4d3fdbb631c5e9d kernel-BOOT-2.4.20-19.7.i386.rpm [ via FTP ] [ via HTTP ] 64894543c12748599d6abb945d0c03c9 kernel-doc-2.4.20-19.7.i386.rpm [ via FTP ] [ via HTTP ] 02634a9fdecc9a9b8c028187b9c0dccc kernel-source-2.4.20-19.7.i386.rpm [ via FTP ] [ via HTTP ] 537f69c51f85b04130082d06a6497946 i586: kernel-2.4.20-19.7.i586.rpm [ via FTP ] [ via HTTP ] 7e6672a3758853a9fe482dd1840b570c kernel-smp-2.4.20-19.7.i586.rpm [ via FTP ] [ via HTTP ] a17f6e2e1ec4cd10fa34377092bfb075 i686: kernel-2.4.20-19.7.i686.rpm [ via FTP ] [ via HTTP ] a7a968d159074b0d7d9bf570e0d4453b kernel-bigmem-2.4.20-19.7.i686.rpm [ via FTP ] [ via HTTP ] 50e7098370f3184b9f8170883a63af4c kernel-smp-2.4.20-19.7.i686.rpm [ via FTP ] [ via HTTP ] 5e28ba6b0d2e8562f572de0b0724eeb7 Red Hat Linux 7.2 -------------------------------------------------------------------------------- SRPMS: kernel-2.4.20-19.7.src.rpm [ via FTP ] [ via HTTP ] 698d00bb8d014e20e717b554aa582bf5 athlon: kernel-2.4.20-19.7.athlon.rpm [ via FTP ] [ via HTTP ] 41a8c2599df485a6299bcde0a25ae284 kernel-smp-2.4.20-19.7.athlon.rpm [ via FTP ] [ via HTTP ] dc872a77835fc0fd81d54905ba979183 i386: kernel-2.4.20-19.7.i386.rpm [ via FTP ] [ via HTTP ] 41e4f2992c6beaf0a4d3fdbb631c5e9d kernel-BOOT-2.4.20-19.7.i386.rpm [ via FTP ] [ via HTTP ] 64894543c12748599d6abb945d0c03c9 kernel-doc-2.4.20-19.7.i386.rpm [ via FTP ] [ via HTTP ] 02634a9fdecc9a9b8c028187b9c0dccc kernel-source-2.4.20-19.7.i386.rpm [ via FTP ] [ via HTTP ] 537f69c51f85b04130082d06a6497946 i586: kernel-2.4.20-19.7.i586.rpm [ via FTP ] [ via HTTP ] 7e6672a3758853a9fe482dd1840b570c kernel-smp-2.4.20-19.7.i586.rpm [ via FTP ] [ via HTTP ] a17f6e2e1ec4cd10fa34377092bfb075 i686: kernel-2.4.20-19.7.i686.rpm [ via FTP ] [ via HTTP ] a7a968d159074b0d7d9bf570e0d4453b kernel-bigmem-2.4.20-19.7.i686.rpm [ via FTP ] [ via HTTP ] 50e7098370f3184b9f8170883a63af4c kernel-smp-2.4.20-19.7.i686.rpm [ via FTP ] [ via HTTP ] 5e28ba6b0d2e8562f572de0b0724eeb7 Red Hat Linux 7.3 -------------------------------------------------------------------------------- SRPMS: kernel-2.4.20-19.7.src.rpm [ via FTP ] [ via HTTP ] 698d00bb8d014e20e717b554aa582bf5 athlon: kernel-2.4.20-19.7.athlon.rpm [ via FTP ] [ via HTTP ] 41a8c2599df485a6299bcde0a25ae284 kernel-smp-2.4.20-19.7.athlon.rpm [ via FTP ] [ via HTTP ] dc872a77835fc0fd81d54905ba979183 i386: kernel-2.4.20-19.7.i386.rpm [ via FTP ] [ via HTTP ] 41e4f2992c6beaf0a4d3fdbb631c5e9d kernel-BOOT-2.4.20-19.7.i386.rpm [ via FTP ] [ via HTTP ] 64894543c12748599d6abb945d0c03c9 kernel-doc-2.4.20-19.7.i386.rpm [ via FTP ] [ via HTTP ] 02634a9fdecc9a9b8c028187b9c0dccc kernel-source-2.4.20-19.7.i386.rpm [ via FTP ] [ via HTTP ] 537f69c51f85b04130082d06a6497946 i586: kernel-2.4.20-19.7.i586.rpm [ via FTP ] [ via HTTP ] 7e6672a3758853a9fe482dd1840b570c kernel-smp-2.4.20-19.7.i586.rpm [ via FTP ] [ via HTTP ] a17f6e2e1ec4cd10fa34377092bfb075 i686: kernel-2.4.20-19.7.i686.rpm [ via FTP ] [ via HTTP ] a7a968d159074b0d7d9bf570e0d4453b kernel-bigmem-2.4.20-19.7.i686.rpm [ via FTP ] [ via HTTP ] 50e7098370f3184b9f8170883a63af4c kernel-smp-2.4.20-19.7.i686.rpm [ via FTP ] [ via HTTP ] 5e28ba6b0d2e8562f572de0b0724eeb7 Red Hat Linux 8.0 -------------------------------------------------------------------------------- SRPMS: kernel-2.4.20-19.8.src.rpm [ via FTP ] [ via HTTP ] cf43c708a8c9b92a273aad9782ebe3fc athlon: kernel-2.4.20-19.8.athlon.rpm [ via FTP ] [ via HTTP ] 8fc7f90b8e8d557c41d6cf2547952c1d kernel-smp-2.4.20-19.8.athlon.rpm [ via FTP ] [ via HTTP ] 52b18ab6ae28422e518642517644da35 i386: kernel-2.4.20-19.8.i386.rpm [ via FTP ] [ via HTTP ] fbfff1b36f17e26e6a1ce479ef49e365 kernel-BOOT-2.4.20-19.8.i386.rpm [ via FTP ] [ via HTTP ] 4d8350dd66be36060bf0551f36a9eb6f kernel-doc-2.4.20-19.8.i386.rpm [ via FTP ] [ via HTTP ] af87de700f6b2568e6b7d5ed4ef75df1 kernel-source-2.4.20-19.8.i386.rpm [ via FTP ] [ via HTTP ] b5e079c96b00226951564afcc2d4d5af i586: kernel-2.4.20-19.8.i586.rpm [ via FTP ] [ via HTTP ] 8cc317a6f56dbdc0c1464a7e96ee37b8 kernel-smp-2.4.20-19.8.i586.rpm [ via FTP ] [ via HTTP ] a552754aad9099019c18cdc8d5cb1f41 i686: kernel-2.4.20-19.8.i686.rpm [ via FTP ] [ via HTTP ] 9f0d0622b37dc199e8cb79acfc426d74 kernel-bigmem-2.4.20-19.8.i686.rpm [ via FTP ] [ via HTTP ] f91b6e385290e82075c2b321247f8ada kernel-smp-2.4.20-19.8.i686.rpm [ via FTP ] [ via HTTP ] 9856cb68f2f32410ae5ffc7a9789bccb Red Hat Linux 9 -------------------------------------------------------------------------------- SRPMS: kernel-2.4.20-19.9.src.rpm [ via FTP ] [ via HTTP ] 6ca9ea03ece1c3a40d0c1acb5bb5d2f2 athlon: kernel-2.4.20-19.9.athlon.rpm [ via FTP ] [ via HTTP ] 2e1ecff32d8c91126f96032576afbe7b kernel-smp-2.4.20-19.9.athlon.rpm [ via FTP ] [ via HTTP ] a22c6fc30dc64d1394361f93890fc23e i386: kernel-2.4.20-19.9.i386.rpm [ via FTP ] [ via HTTP ] 030ed2ec0324b58a1e80e8c7ee54effe kernel-BOOT-2.4.20-19.9.i386.rpm [ via FTP ] [ via HTTP ] f97f319353b32eeb2f96a0311135c856 kernel-doc-2.4.20-19.9.i386.rpm [ via FTP ] [ via HTTP ] d31fe42a6b1269362dd70ee361bdc94d kernel-source-2.4.20-19.9.i386.rpm [ via FTP ] [ via HTTP ] 0daf50da25ade8cce42e7445dfe0d24c i586: kernel-2.4.20-19.9.i586.rpm [ via FTP ] [ via HTTP ] bd471aa92a83aa40c6fc4ee06e5f2f0e kernel-smp-2.4.20-19.9.i586.rpm [ via FTP ] [ via HTTP ] cafec48037739216070833def01a3832 i686: kernel-2.4.20-19.9.i686.rpm [ via FTP ] [ via HTTP ] e940c18ed58ca525ba0545be23ce43b4 kernel-bigmem-2.4.20-19.9.i686.rpm [ via FTP ] [ via HTTP ] b2216f3ac6697ca319ed8547a1edb320 kernel-smp-2.4.20-19.9.i686.rpm [ via FTP ] [ via HTTP ] bb8b49b539bf16b8bce329d80dfafaca Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. To use Red Hat Network to upgrade the kernel, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Note that you need to select the kernel explicitly if you are using the default configuration of up2date. To install kernel packages manually, use "rpm -ivh " and modify system settings to boot the kernel you have installed. To do this, edit /boot/grub/grub.conf and change the default entry to "default=0" (or, if you have chosen to use LILO as your boot loader, edit /etc/lilo.conf and run lilo) Do not use "rpm -Uvh" as that will remove your running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0461 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0476 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0501 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0550 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0551 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0552 -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html [***** End Red Hat Security Advisory RHSA-2003:238-14 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-112: Red Hat Updated PHP Packages Fix Bugs N-113: Sun Buffer Overflow in LDAP Name Service N-114: Buffer Overrun in Microsoft HTML Converter Could Allow Code Execution N-115: Buffer Overrun in Microsoft Windows Could Lead to Data Corruption N-116: Flaw in Microsoft Windows Message Handling through Utility Manager Could Enable Privilege Elevation N-117: Microsoft RPC Interface Buffer Overrun Vulnerability N-118: Cisco IOS Interface Blocked by IPv4 Packet N-119: Microsoft Internet Security and Acceleration (ISA) Server Error Pages Could Allow Cross-Site Scripting Attack N-120: Unchecked Buffer in Microsoft Windows Shell Could Enable System Compromise N-121: Red Hat Updated Mozilla Packages Fix Security Vulnerability