__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Red Hat Updated 2.4 Kernel Fixes Privilege Escalation Security Vulnerability [RHSA-2003:392-05, RHSA-2003:389-07, RHSA-2003:368-11] December 2, 2003 19:00 GMT Number O-031 [REVISED 2 Dec 2003 21:30 GMT] [REVISED 15 Jan 2004] [REVISED 19 Feb 2004] [REVISED 02 Mar 2004] ______________________________________________________________________________ PROBLEM: There is a flaw in bounds checking in the do_brk() function in the Linux kernel versions 2.4.22 and previous. PLATFORM: Red Hat Linux 7.1, 7.2, 7.3, 8.0, 9 (see: RHSA-2003:392-05) Red Hat Enterprise Linux AS(v.2.1) (see: RHSA-2003:389-07) Red Hat Enterprise Linux ES(v.2.1) (see: RHSA-2003:389-07) Red Hat Enterprise Linux WS(v.2.1) (see: RHSA-2003:389-07) Red Hat Linux Advanced Workstation(v.2.1) for Itanium (see: RHSA-2003:368-11) Debian GNU/Linux 3.0 (woody) Kernel-image-23434-ia64 Linux-kernel-2.4.16-arm (see: DSA-439-1) Linux-kernel-2.4.17-powerpc-apus (see: DSA-440-1) Linux-kernel-2.4.19-mips (see: DSA-450-1) DAMAGE: A local attacker can gain root privileges. SOLUTION: Apply the appropriate patch. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A local attacker can gain root privileges. ASSESSMENT: This issue is known to be exploitable; an exploit has been seen in the wild that takes advantage of this vulnerability. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-031.shtml ORIGINAL BULLETINS: Red Hat RHSA-2003:392-05 https://rhn.redhat.com/errata/RHSA-2003-392.html Red Hat RHSA-2003:389-07 - Enterprise Linux products https://rhn.redhat.com/errata/RHSA-2003-389.html Red Hat RHSA-2003:368-11 - Linux Advanced Workstation products https://rhn.redhat.com/errata/RHSA-2003-368.html ADDITIONAL LINKS: Debian Security Advisory DSA-423 http://www.debian.org/security/2004/dsa-423 Debian Security Advisory DSA-439-1 2.4.16-arm http://www.debian.org/security/2004/dsa-439 Debian Security Advisory DSA-440-1 2.4.17-powerpc-apus http://www.debian.org/security/2004/dsa-440 Debian Security Advisory DSA-442-1 2.4.17-s390 http://www.debian.org/security/2004/dsa-442 Debian Security Advisory DSA-450-1 linux-kernel-2.4.19-mips http://www.debian.org/security/2004/dsa-450 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2003-0961 CVE-2003-0476 ______________________________________________________________________________ REVISIONS: 12/02/03 - Added the Enterprise Linus products to Platforms section. Added Original Bulletin link to Red Hat's Advisory containing this information. 12/22/03 - Added the Red Hat Linux Advanced Workstation 2.1 for Itanium Processor to the Platforms section and added a link to RHSA-2003:368-11. 1-15-04 - Added a link to Debian Security Advisory DSA-423-1 for Linux-kernel-2.4.17-ia64. 02/19/04 - Added a link to Debian Security Advisory DSA-439-1 for Linux-kernel-2.4.16-arm and for DSA-440-1 for Linux-kernel-2.4.17-powerpc-apus. 03/02/04 - Added a link to Debian Security Advisory DSA-450-1 for Linux-kernel-2.4.19-mips and for Debian Security Advisory DSA-442-1 for Linux-kernel-2.4.17-s390 fixing do_brk function vulnerabilities. NOTE: RHSA-2003:389-07 contains information for Enterprise Linux platform fixes. [***** Start RHSA-2003:392-05 *****] Updated 2.4 kernel fixes privilege escalation security vulnerability Advisory: RHSA-2003:392-05 Last updated on: 2003-12-01 Affected Products: Red Hat Linux 7.1 Red Hat Linux 7.2 Red Hat Linux 7.3 Red Hat Linux 8.0 Red Hat Linux 9 CVEs (cve.mitre.org): CAN-2003-0961 Security Advisory Details: Updated kernel packages are now available that fix a security vulnerability leading to a possible privilege escalation. The Linux kernel handles the basic functions of the operating system. A flaw in bounds checking in the do_brk() function in the Linux kernel versions 2.4.22 and previous can allow a local attacker to gain root privileges. This issue is known to be exploitable; an exploit has been seen in the wild that takes advantage of this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0961 to this issue. All users are advised to upgrade to these errata packages, which contain a backported security patch that corrects this vulnerability. Important: If you use Red Hat Linux 7.1, you must have installed quota-3.06-9.71 from RHSA-2003:187, and if you use Red Hat Linux 7.2 or 7.3, you must have installed quota-3.06-9.7 from RHSA-2003:187 Updated packages: Red Hat Linux 7.1 -------------------------------------------------------------------------------- SRPMS: kernel-2.4.20-24.7.src.rpm [ via FTP ] [ via HTTP ] d820f37c791df3f59e22e0f2f4aee4a8 athlon: kernel-2.4.20-24.7.athlon.rpm [ via FTP ] [ via HTTP ] 172f574aa6055e4ed706abf395b4a9ab kernel-smp-2.4.20-24.7.athlon.rpm [ via FTP ] [ via HTTP ] f7b7f5e5eafc31b541fe3a27bd48f408 i386: kernel-2.4.20-24.7.i386.rpm [ via FTP ] [ via HTTP ] 3ae94919218a7edce005c955f6b22776 kernel-BOOT-2.4.20-24.7.i386.rpm [ via FTP ] [ via HTTP ] 6a4ab4889332208b048f4ef2fb7a190d kernel-doc-2.4.20-24.7.i386.rpm [ via FTP ] [ via HTTP ] b10a9aff5af4ce2cf36252fd4b0f21a0 kernel-source-2.4.20-24.7.i386.rpm [ via FTP ] [ via HTTP ] 5a88fec16c237e778518df03e62af071 i586: kernel-2.4.20-24.7.i586.rpm [ via FTP ] [ via HTTP ] bacae6a71188c7e5e54c4a91434c67c4 kernel-smp-2.4.20-24.7.i586.rpm [ via FTP ] [ via HTTP ] 945b720803753d1f60f6d4492b54ca6b i686: kernel-2.4.20-24.7.i686.rpm [ via FTP ] [ via HTTP ] a6351fcc1a61054adf492f66da65f2d9 kernel-bigmem-2.4.20-24.7.i686.rpm [ via FTP ] [ via HTTP ] fe052b2b749aa3d1abe449d3ea392cf9 kernel-smp-2.4.20-24.7.i686.rpm [ via FTP ] [ via HTTP ] 31128ef6e28b75ce451b4c3c00a0b1b7 Red Hat Linux 7.2 -------------------------------------------------------------------------------- SRPMS: kernel-2.4.20-24.7.src.rpm [ via FTP ] [ via HTTP ] d820f37c791df3f59e22e0f2f4aee4a8 athlon: kernel-2.4.20-24.7.athlon.rpm [ via FTP ] [ via HTTP ] 172f574aa6055e4ed706abf395b4a9ab kernel-smp-2.4.20-24.7.athlon.rpm [ via FTP ] [ via HTTP ] f7b7f5e5eafc31b541fe3a27bd48f408 i386: kernel-2.4.20-24.7.i386.rpm [ via FTP ] [ via HTTP ] 3ae94919218a7edce005c955f6b22776 kernel-BOOT-2.4.20-24.7.i386.rpm [ via FTP ] [ via HTTP ] 6a4ab4889332208b048f4ef2fb7a190d kernel-doc-2.4.20-24.7.i386.rpm [ via FTP ] [ via HTTP ] b10a9aff5af4ce2cf36252fd4b0f21a0 kernel-source-2.4.20-24.7.i386.rpm [ via FTP ] [ via HTTP ] 5a88fec16c237e778518df03e62af071 i586: kernel-2.4.20-24.7.i586.rpm [ via FTP ] [ via HTTP ] bacae6a71188c7e5e54c4a91434c67c4 kernel-smp-2.4.20-24.7.i586.rpm [ via FTP ] [ via HTTP ] 945b720803753d1f60f6d4492b54ca6b i686: kernel-2.4.20-24.7.i686.rpm [ via FTP ] [ via HTTP ] a6351fcc1a61054adf492f66da65f2d9 kernel-bigmem-2.4.20-24.7.i686.rpm [ via FTP ] [ via HTTP ] fe052b2b749aa3d1abe449d3ea392cf9 kernel-smp-2.4.20-24.7.i686.rpm [ via FTP ] [ via HTTP ] 31128ef6e28b75ce451b4c3c00a0b1b7 Red Hat Linux 7.3 -------------------------------------------------------------------------------- SRPMS: kernel-2.4.20-24.7.src.rpm [ via FTP ] [ via HTTP ] d820f37c791df3f59e22e0f2f4aee4a8 athlon: kernel-2.4.20-24.7.athlon.rpm [ via FTP ] [ via HTTP ] 172f574aa6055e4ed706abf395b4a9ab kernel-smp-2.4.20-24.7.athlon.rpm [ via FTP ] [ via HTTP ] f7b7f5e5eafc31b541fe3a27bd48f408 i386: kernel-2.4.20-24.7.i386.rpm [ via FTP ] [ via HTTP ] 3ae94919218a7edce005c955f6b22776 kernel-BOOT-2.4.20-24.7.i386.rpm [ via FTP ] [ via HTTP ] 6a4ab4889332208b048f4ef2fb7a190d kernel-doc-2.4.20-24.7.i386.rpm [ via FTP ] [ via HTTP ] b10a9aff5af4ce2cf36252fd4b0f21a0 kernel-source-2.4.20-24.7.i386.rpm [ via FTP ] [ via HTTP ] 5a88fec16c237e778518df03e62af071 i586: kernel-2.4.20-24.7.i586.rpm [ via FTP ] [ via HTTP ] bacae6a71188c7e5e54c4a91434c67c4 kernel-smp-2.4.20-24.7.i586.rpm [ via FTP ] [ via HTTP ] 945b720803753d1f60f6d4492b54ca6b i686: kernel-2.4.20-24.7.i686.rpm [ via FTP ] [ via HTTP ] a6351fcc1a61054adf492f66da65f2d9 kernel-bigmem-2.4.20-24.7.i686.rpm [ via FTP ] [ via HTTP ] fe052b2b749aa3d1abe449d3ea392cf9 kernel-smp-2.4.20-24.7.i686.rpm [ via FTP ] [ via HTTP ] 31128ef6e28b75ce451b4c3c00a0b1b7 Red Hat Linux 8.0 -------------------------------------------------------------------------------- SRPMS: kernel-2.4.20-24.8.src.rpm [ via FTP ] [ via HTTP ] f6f49ba606d4ef1a586f99c564b2499d athlon: kernel-2.4.20-24.8.athlon.rpm [ via FTP ] [ via HTTP ] 2244d511620477db15996ac6ac586ce6 kernel-smp-2.4.20-24.8.athlon.rpm [ via FTP ] [ via HTTP ] f73a9ab55bbf9cd43d83c16546a9a07a i386: kernel-2.4.20-24.8.i386.rpm [ via FTP ] [ via HTTP ] 6c25fc68334cde596e183532d8b3483a kernel-BOOT-2.4.20-24.8.i386.rpm [ via FTP ] [ via HTTP ] c79ea815774a3cf3c00c89f36b34aacb kernel-doc-2.4.20-24.8.i386.rpm [ via FTP ] [ via HTTP ] 3b9cf1a0a8db7fd4503a56d498a23878 kernel-source-2.4.20-24.8.i386.rpm [ via FTP ] [ via HTTP ] c21153374e1847f47d29ecf99805c064 i586: kernel-2.4.20-24.8.i586.rpm [ via FTP ] [ via HTTP ] 35da48234c032663cd5765a15cab8169 kernel-smp-2.4.20-24.8.i586.rpm [ via FTP ] [ via HTTP ] 4dcbad37430e402267a991e1e8586586 i686: kernel-2.4.20-24.8.i686.rpm [ via FTP ] [ via HTTP ] 000e2b216d17a64b15a81dc27c21b453 kernel-bigmem-2.4.20-24.8.i686.rpm [ via FTP ] [ via HTTP ] 062a3810a475c2dacb06c03234652e76 kernel-smp-2.4.20-24.8.i686.rpm [ via FTP ] [ via HTTP ] a66bd9c6f6da80b26a353a99f33b5f25 Red Hat Linux 9 -------------------------------------------------------------------------------- SRPMS: kernel-2.4.20-24.9.src.rpm [ via FTP ] [ via HTTP ] e68dc0c95aab8a27fbdd911925e7be0b athlon: kernel-2.4.20-24.9.athlon.rpm [ via FTP ] [ via HTTP ] cd422af233db0164be1a66f69278fb0e kernel-smp-2.4.20-24.9.athlon.rpm [ via FTP ] [ via HTTP ] 60e111499188473b79aa7fe4dfc4f553 i386: kernel-2.4.20-24.9.i386.rpm [ via FTP ] [ via HTTP ] e732e2ea47e5b07ad3ccebcdb9f96743 kernel-BOOT-2.4.20-24.9.i386.rpm [ via FTP ] [ via HTTP ] f00e2c660038c2689c23d28b20da63d7 kernel-doc-2.4.20-24.9.i386.rpm [ via FTP ] [ via HTTP ] 5f14574fc6248d02ea346adbf304a881 kernel-source-2.4.20-24.9.i386.rpm [ via FTP ] [ via HTTP ] 536db3f62fb66ef96f6171c6f4788db4 i586: kernel-2.4.20-24.9.i586.rpm [ via FTP ] [ via HTTP ] 423f4ef61689574ce915d9c393e50987 kernel-smp-2.4.20-24.9.i586.rpm [ via FTP ] [ via HTTP ] 4121d90dfacd06d266d6b920c8b3b898 i686: kernel-2.4.20-24.9.i686.rpm [ via FTP ] [ via HTTP ] 84b5ebcabf19ed929120ecd70b3d09dc kernel-bigmem-2.4.20-24.9.i686.rpm [ via FTP ] [ via HTTP ] c95ab7333115db5be3a21c5d144db04b kernel-smp-2.4.20-24.9.i686.rpm [ via FTP ] [ via HTTP ] 58a563ee017283fc7a2843d2a5888986 Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. To use Red Hat Network to upgrade the kernel, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Note that you need to select the kernel explicitly if you are using the default configuration of up2date. To install kernel packages manually, use "rpm -ivh " and modify system settings to boot the kernel you have installed. To do this, edit /boot/grub/grub.conf and change the default entry to "default=0" (or, if you have chosen to use LILO as your boot loader, edit /etc/lilo.conf and run lilo) Do not use "rpm -Uvh" as that will remove your running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0961 Keywords: privesc -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html [***** End RHSA-2003:392-05 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-021: Microsoft Cumulative Security Update for Internet Explorer O-022: Microsoft Buffer Overrun Vulnerability in Workstation Service O-023: Microsoft Word and Excel Vulnerabilities O-024: Microsoft Buffer Overrun in Microsoft FrontPage O-025: ISS PeopleSoft IClient Servlet Remote Command Execution Vulnerability O-026: Red Hat Updated PostgreSQL Packages Fix BUffer Overflow O-027: Red Hat Updated XFree86 Packages Provide Security and Bug Fixes O-028: Hewlett Packard dtmailpr O-029: un Security Vulnerability on Sun Systems with a PGX32 Frame Buffer O-030: Hewlett Packard VirtualVault OpenSSH Vulnerabilities