__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Red Hat Updated Kernel Packages Resolve Security Vulnerabilities [RHSA-2004:065-04 7 RHSA-2004:069-04] February 19, 2004 14:00 GMT Number O-082 [REVISED 02 Mar 2004] [REVISED 05 Mar 2004] [REVISED 15 Apr 2004] ______________________________________________________________________________ PROBLEM: There are four vulnerabilities: 1) A flaw in return value checking in mremap() in the Linux kernel versions 2.4.24 and previous, (please see CIAC O-045); 2) The Vicam USB driver in kernel versious prior to 2.4.25 does not use the copy_from_user function to access userspace; 3) A flaw in ncp_lookup() in ncpfs. 4) Issues in the R128 Direct Render Infrastructure. PLATFORM: Red Hat Linux 9 Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux WS (v. 2.1) Debian GNU/Linux 3.0 (woody) ProPack v2.4 for the Altix family of systems DAMAGE: 1) This may allow a local attacker to gain root privileges; 2) Crosses security boundaries; 3) A flaw in ncp_lookup() in ncpfs that could allow local privilege escalation; 4) Could allow local privilege escalation. SOLUTION: Install the appropriate upgrades. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A local attacker could gain root ASSESSMENT: privileges. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-082.shtml ORIGINAL BULLETINS: Red Hat RHSA-2004:065-04 https://rhn.redhat.com/errata/RHSA-2004-065.html Red Hat RHSA-2004:069-04 https://rhn.redhat.com/errata/RHSA-2004-069.html ADDITIONAL LINKS: Debian Security Advisory DSA-442-1 http://www.debian.org/security/2004/dsa-442 Debian Security Advisory DSA-482-1 http://www.debian.org/security/2004/dsa-482 Debian Security Advisory DSA-481-1 http://www.debian.org/security/2004/dsa-481 Debian Security Advisory DSA-480-1 http://www.debian.org/security/2004/dsa-480 Debian Security Advisory DSA-479-1 & 2 http://www.debian.org/security/2004/dsa-479 SGI Security Advisory Number 20040204-01-U (Patch 10046) ftp://patches.sgi.com/support/free/security/advisories/ 20040204-01-U.asc Red Hat RHSA-2004:069-06 https://rhn.redhat.com/errata/RHSA-2004-069.html CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0003 CAN-2004-0010 CAN-2004-0075 CAN-2004-0077 ______________________________________________________________________________ REVISION HISTORY: 03/02/04 - Added a link to SGI Security Advisory Number 20040204-01-U Patch 10046 for ProPack v2.4 (Kernel fixes and security update). A link was also added for Debian Security Advisory DSA-442-1 for linux-kernel-2.4.17-s390 new patches. 03/05/04 - Added a link to the Red Hat Security Advisory RHSA-2004:069-06 that provides additional kernel-headers packages for Red Hat Enterprise Linux AS, ED, WS (v. 2.1). 04/15/04 - added links to the following bulletins: Debian Security Advisories -- DSA-482-1 linux-kernel-2.4.17-apus_s390; DSA-481-1 for linux-kernel- 2.4.17-ia64; DSA-480-1 for linux-kernel-2.4.17+2.4.18-hppa; DSA-479 for linux-kernel-2.4.18-alpha+i386+powerpc. [***** Start RHSA-2004:065-04 *****] Updated kernel packages resolve security vulnerabilities Advisory: RHSA-2004:065-05 Last updated on: 2004-02-18 Affected Products: Red Hat Linux 9 CVEs (cve.mitre.org): CAN-2004-0003 CAN-2004-0010 CAN-2004-0075 CAN-2004-0077 Security Advisory Details: Updated kernel packages that fix security vulnerabilities which may allow local users to gain root privileges are now available. These packages also resolve other minor issues. The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered a flaw in return value checking in mremap() in the Linux kernel versions 2.4.24 and previous that may allow a local attacker to gain root privileges. No exploit is currently available; however this issue is exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0077 to this issue. The Vicam USB driver in kernel versions prior to 2.4.25 does not use the copy_from_user function to access userspace, which crosses security boundaries. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0075 to this issue. Arjan van de Ven discovered a flaw in ncp_lookup() in ncpfs that could allow local privilege escalation. ncpfs is only used to allow a system to mount volumes of NetWare servers or print to NetWare printers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0010 to this issue. Alan Cox found issues in the R128 Direct Render Infrastructure that could allow local privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0003 to this issue. All users are advised to upgrade to these errata packages, which contain backported security patches that correct these issues. Red Hat would like to thank Paul Starzetz from ISEC for reporting the issue CAN-2004-0077. Updated packages: Red Hat Linux 9 -------------------------------------------------------------------------------- SRPMS: kernel-2.4.20-30.9.src.rpm [ via FTP ] [ via HTTP ] 49493c8d5d9ddc2a4a9972ece04a6d8f athlon: kernel-2.4.20-30.9.athlon.rpm [ via FTP ] [ via HTTP ] 470b90ee4107de230f10f8a2a7d41c07 kernel-smp-2.4.20-30.9.athlon.rpm [ via FTP ] [ via HTTP ] 19b1e5ac305d1154272fc24f67e4b178 i386: kernel-2.4.20-30.9.i386.rpm [ via FTP ] [ via HTTP ] f4d5fe1bc347ce6f4cd14f4044806a1c kernel-BOOT-2.4.20-30.9.i386.rpm [ via FTP ] [ via HTTP ] 56e1dbffc0ef2cc8b9437dac17125741 kernel-doc-2.4.20-30.9.i386.rpm [ via FTP ] [ via HTTP ] 4e2f8db760ab6fea751199a5a65c049c kernel-source-2.4.20-30.9.i386.rpm [ via FTP ] [ via HTTP ] 10b2197124f4e73546b85011b2907996 i586: kernel-2.4.20-30.9.i586.rpm [ via FTP ] [ via HTTP ] 9793e1f3d897c1f3e405787582a97eb0 kernel-smp-2.4.20-30.9.i586.rpm [ via FTP ] [ via HTTP ] 9af567d04a4058c5576660907c5e8029 i686: kernel-2.4.20-30.9.i686.rpm [ via FTP ] [ via HTTP ] 59cb85fd47dad7a60c141b6514643aa2 kernel-bigmem-2.4.20-30.9.i686.rpm [ via FTP ] [ via HTTP ] 6aa14556eb3c01efcca8141269b9ec94 kernel-smp-2.4.20-30.9.i686.rpm [ via FTP ] [ via HTTP ] cf3483753eaa7eb0eec8d5cef943f04a Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client with an updated certificate. The latest version of up2date is available from the Red Hat FTP site and may also be downloaded directly from the RHN website: https://rhn.redhat.com/help/latest-up2date.pxt Bugs fixed: (see bugzilla for more information) 113517 - RHEL 3.0 smp hang using prctl( PR_SET_PDEATHSIG References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0003 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0010 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0075 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0077 Keywords: privesc, VMA -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html [***** End RHSA-2004:065-04 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-072: Check Point FireWall-1 HTTP Security Server Vulnerability O-073: Check Point VPN-1 Server and VPN Client Buffer Overflow Vulnerability O-074: Red Hat Cross-site Scripting Vulnerability in Mailman Package O-075: RealPlayer / RealOne Player Buffer Overrun Vulnerabilities O-076: MS Vulnerability in Virtual PC for Mac O-077: MS Vulnerability in the Windows Internet Naming Service (WINS) O-078: Samba - Unauthorized Access to SMB Accounts O-079: SGI - Userland Binary Vulnerabilities O-080: Novell iChain Telnet Service Vulnerability O-081: Red Hat Updated XFree86 Packages Fix Privilege Escalation Vulnerability