__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Security Vulnerabilities Addressed in Red Hat Kernel Update [Red Hat Security Advisory RHSA-2005:366-19] April 20, 2005 19:00 GMT Number P-188 [REVISED 25 Apr 2005] [REVISED 28 Apr 2005] [REVISED 11 Aug 2005] [REVISED 25 Aug 2005] [REVISED 29 Sep 2005] [REVISED 24 Mar 2006] [REVISED 07 Apr 2006] [REVISED 30 May 2006] ______________________________________________________________________________ PROBLEM: Red Hat has released a kernel update that addresses several security vulnerabilities. The Linux kernel handles the basic functions of the operating system. PLATFORM: Red Hat Desktop (v. 3 and v. 4) Red Hat Enterprise Linux AS, ES, WS (v 2.1, v. 3 and v. 4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor Debian GNU/Linux 3.1 (sarge) Debian GNU/Linux 3.0 alias woody DAMAGE: Some of the effects of exploiting the eighteen security flaws that were fixed with this update include: denial of service, arbitrary code execution, and privilege escalation. SOLUTION: Apply available security updates. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Exploiting the vulnerabilities may allow a ASSESSMENT: local user to cause a denial of service, execute arbitrary code, or gain elevated privileges. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-188.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2005-366.html ADDITIONAL LINKS: Red Hat Security Advisory RHSA-2005:293-16 https://rhn.redhat.com/errata/RHSA-2005-293.html Red Hat Security Advisory RHSA-2005:283-15 https://rhn.redhat.com/errata/RHSA-2005-283.html Red Hat Security Advisory RHSA-2005:284-11 https://rhn.redhat.com/errata/RHSA-2005-284.html Red Hat Security Advisory RHSA-2005:366-21 https://rhn.redhat.com/errata/RHSA-2005-366.html Red Hat Security Advisory RHSA-2005:420-24 https://rhn.redhat.com/errata/RHSA-2005-420.html Red Hat Security Advisory RHSA-2005:529-12 https://rhn.redhat.com/errata/RHSA-2005-529.html Red Hat Security Advisory RHSA-2005:551-09 https://rhn.redhat.com/errata/RHSA-2005-551.html Red Hat Security Advisory RHSA-2005:663-19 https://rhn.redhat.com/errata/RHSA-2005-663.html DSA-1017-1 http://www.debian.org/security/2006/dsa-1017 Debian Security Advisory DSA-1018-2 http://www.debian.org/security/2006/dsa-1018 Debian Security Advisory DSA-1082-1 http://www.debian.org/security/2006/dsa-1082 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2005-0135 CAN-2005-0207 CAN-2005-0209 CAN-2005-0384 CAN-2005-0400 CAN-2005-0449 CAN-2005-0529 CAN-2005-0530 CAN-2005-0531 CAN-2005-0736 CAN-2005-0749 CAN-2005-0750 CAN-2005-0767 CAN-2005-0815 CAN-2005-0839 CAN-2005-0867 CAN-2005-0977 CAN-2005-1041 ______________________________________________________________________________ REVISION HISTORY: 04/25/2005 - added link to Red Hat Security Advisory RHSA-2005:293-16 that provides updated kernel packages for Red Hat v. 3. 04/28/2005 - added links to Red Hat Security Advisory RHSA-2005:293-16 and RHSA-2005:294-11 that provide updated kernel packages for Red Hat v. 2.1. 08/11/2005 - added links to Red Hat Security Advisories RHSA-2005:366-21 and RHSA-2005:420-24. 08/25/2005 - added links to Red Hat Security Advisories RHSA-2005:529-12 and RHSA-2005:551-09 09/29/2005 - added a link to Red Hat Security Advisory RHSA-2005:663-19. 03/24/2006 - added a link to DSA 1017 04/07/2006 - added a link to Debian Security Advisory DSA-1018-2 for Debian GNU/Linux 3.1 sarge. 05/30/2006 - added a link to Debian Security Advisory DSA-1082-1 for Debian GNU/Linux 3.0 alias woody. [***** Start Red Hat Security Advisory RHSA-2005:366-19 *****] Important: kernel security update Advisory: RHSA-2005:366-19 Type: Security Advisory Issued on: 2005-04-19 Last updated on: 2005-04-19 Affected Products: Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) CVEs (cve.mitre.org): CAN-2005-0135 CAN-2005-0207 CAN-2005-0209 CAN-2005-0384 CAN-2005-0400 CAN-2005-0449 CAN-2005-0529 CAN-2005-0530 CAN-2005-0531 CAN-2005-0736 CAN-2005-0749 CAN-2005-0750 CAN-2005-0767 CAN-2005-0815 CAN-2005-0839 CAN-2005-0867 CAN-2005-0977 CAN-2005-1041 Details Updated kernel packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw in the fib_seq_start function was discovered. A local user could use this flaw to cause a denial of service (system crash) via /proc/net/route. (CAN-2005-1041) A flaw in the tmpfs file system was discovered. A local user could use this flaw to cause a denial of service (system crash). (CAN-2005-0977) An integer overflow flaw was found when writing to a sysfs file. A local user could use this flaw to overwrite kernel memory, causing a denial of service (system crash) or arbitrary code execution. (CAN-2005-0867) Keith Owens reported a flaw in the Itanium unw_unwind_to_user function. A local user could use this flaw to cause a denial of service (system crash) on Itanium architectures. (CAN-2005-0135) A flaw in the NFS client O_DIRECT error case handling was discovered. A local user could use this flaw to cause a denial of service (system crash). (CAN-2005-0207) A flaw in fragment forwarding was discovered that affected the netfilter subsystem for certain network interface cards. A remote attacker could send a set of bad fragments and cause a denial of service (system crash). Acenic and SunGEM network interfaces were the only adapters affected, which are in widespread use. (CAN-2005-0209) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CAN-2005-0384) A flaw was discovered in the ext2 file system code. When a new directory is created, the ext2 block written to disk is not initialized, which could lead to an information leak if a disk image is made available to unprivileged users. (CAN-2005-0400) A flaw in fragment queuing was discovered that affected the Linux kernel netfilter subsystem. On systems configured to filter or process network packets (e.g. firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know or guess some aspects of the firewall ruleset on the target system. (CAN-2005-0449) A number of flaws were found in the Linux 2.6 kernel. A local user could use these flaws to read kernel memory or cause a denial of service (crash). (CAN-2005-0529, CAN-2005-0530, CAN-2005-0531) An integer overflow in sys_epoll_wait in eventpoll.c was discovered. A local user could use this flaw to overwrite low kernel memory. This memory is usually unused, not usually resulting in a security consequence. (CAN-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (crash). (CAN-2005-0749) A flaw was discovered in the bluetooth driver system. On systems where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CAN-2005-0750) A race condition was discovered that affected the Radeon DRI driver. A local user who has DRI privileges on a Radeon graphics card may be able to use this flaw to gain root privileges. (CAN-2005-0767) Multiple range checking flaws were discovered in the iso9660 file system handler. An attacker could create a malicious file system image which would cause a denial or service or potentially execute arbitrary code if mounted. (CAN-2005-0815) A flaw was discovered when setting line discipline on a serial tty. A local user may be able to use this flaw to inject mouse movements or keystrokes when another user is logged in. (CAN-2005-0839) Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Please note that a vulnerability addressed by this update (CAN-2005-0449) required a change to the kernel module ABI which could cause third party modules to not work. However, Red Hat is currently not aware of any module that would be affected by this change. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Updated packages Red Hat Desktop (v. 4) SRPMS: kernel-2.6.9-5.0.5.EL.src.rpm 5c195d29285c007e9d24c62c83dcb912 IA-32: kernel-2.6.9-5.0.5.EL.i686.rpm 9664da40e572449a6847e93182a32c3c kernel-devel-2.6.9-5.0.5.EL.i686.rpm 99f0ef2ce199e67f2933e2740f4d64d5 kernel-doc-2.6.9-5.0.5.EL.noarch.rpm 405f5d5be5119e38e9eba7fb6c1d5e17 kernel-hugemem-2.6.9-5.0.5.EL.i686.rpm ac8ddc9ece5c9d0a5d2d5aa632354b74 kernel-hugemem-devel-2.6.9-5.0.5.EL.i686.rpm eacb127a2036da6c096bdc7e65d65fc5 kernel-smp-2.6.9-5.0.5.EL.i686.rpm 9327533de8bda32cd822a3641a4ba7b4 kernel-smp-devel-2.6.9-5.0.5.EL.i686.rpm 3ddb05a05f268170d0362f88803ca333 x86_64: kernel-2.6.9-5.0.5.EL.x86_64.rpm a16892ac78518e7a948c71ca07c7c3d5 kernel-devel-2.6.9-5.0.5.EL.x86_64.rpm e4f614a057827048bafa5b5f4f8848ba kernel-smp-2.6.9-5.0.5.EL.x86_64.rpm 39eacfa87d106fee7705e335f72722ca kernel-smp-devel-2.6.9-5.0.5.EL.x86_64.rpm 90c6bb332096064e2283e5849d3060fa Red Hat Enterprise Linux AS (v. 4) SRPMS: kernel-2.6.9-5.0.5.EL.src.rpm 5c195d29285c007e9d24c62c83dcb912 IA-32: kernel-2.6.9-5.0.5.EL.i686.rpm 9664da40e572449a6847e93182a32c3c kernel-devel-2.6.9-5.0.5.EL.i686.rpm 99f0ef2ce199e67f2933e2740f4d64d5 kernel-doc-2.6.9-5.0.5.EL.noarch.rpm 405f5d5be5119e38e9eba7fb6c1d5e17 kernel-hugemem-2.6.9-5.0.5.EL.i686.rpm ac8ddc9ece5c9d0a5d2d5aa632354b74 kernel-hugemem-devel-2.6.9-5.0.5.EL.i686.rpm eacb127a2036da6c096bdc7e65d65fc5 kernel-smp-2.6.9-5.0.5.EL.i686.rpm 9327533de8bda32cd822a3641a4ba7b4 kernel-smp-devel-2.6.9-5.0.5.EL.i686.rpm 3ddb05a05f268170d0362f88803ca333 IA-64: kernel-2.6.9-5.0.5.EL.ia64.rpm 3846f3b0cb158cea58d6eadcbbe20e5e kernel-devel-2.6.9-5.0.5.EL.ia64.rpm 8184ecdf261a08faab82207cf5cd0d91 PPC: kernel-2.6.9-5.0.5.EL.ppc64.rpm 432a6e25f7b93513a5c94a29c4e631b9 kernel-2.6.9-5.0.5.EL.ppc64iseries.rpm 2c4b243f0c58cf2042e74fc6537336b0 kernel-devel-2.6.9-5.0.5.EL.ppc64.rpm 3893af8a7c2fff3cadec1ee00a3d4c5e kernel-devel-2.6.9-5.0.5.EL.ppc64iseries.rpm 06c3bc39ae9b33dc37bfbb8a979cb3bd s390: kernel-2.6.9-5.0.5.EL.s390.rpm 0923d70710e70d973d1a700c6094c9f8 kernel-devel-2.6.9-5.0.5.EL.s390.rpm 55a81c1746924b784470866525c08785 s390x: kernel-2.6.9-5.0.5.EL.s390x.rpm 78ee1de0c8d4b1de697593d00f3fb5cb kernel-devel-2.6.9-5.0.5.EL.s390x.rpm 5051be0f2437f99275dbfa9da9955f11 x86_64: kernel-2.6.9-5.0.5.EL.x86_64.rpm a16892ac78518e7a948c71ca07c7c3d5 kernel-devel-2.6.9-5.0.5.EL.x86_64.rpm e4f614a057827048bafa5b5f4f8848ba kernel-smp-2.6.9-5.0.5.EL.x86_64.rpm 39eacfa87d106fee7705e335f72722ca kernel-smp-devel-2.6.9-5.0.5.EL.x86_64.rpm 90c6bb332096064e2283e5849d3060fa Red Hat Enterprise Linux ES (v. 4) SRPMS: kernel-2.6.9-5.0.5.EL.src.rpm 5c195d29285c007e9d24c62c83dcb912 IA-32: kernel-2.6.9-5.0.5.EL.i686.rpm 9664da40e572449a6847e93182a32c3c kernel-devel-2.6.9-5.0.5.EL.i686.rpm 99f0ef2ce199e67f2933e2740f4d64d5 kernel-doc-2.6.9-5.0.5.EL.noarch.rpm 405f5d5be5119e38e9eba7fb6c1d5e17 kernel-hugemem-2.6.9-5.0.5.EL.i686.rpm ac8ddc9ece5c9d0a5d2d5aa632354b74 kernel-hugemem-devel-2.6.9-5.0.5.EL.i686.rpm eacb127a2036da6c096bdc7e65d65fc5 kernel-smp-2.6.9-5.0.5.EL.i686.rpm 9327533de8bda32cd822a3641a4ba7b4 kernel-smp-devel-2.6.9-5.0.5.EL.i686.rpm 3ddb05a05f268170d0362f88803ca333 IA-64: kernel-2.6.9-5.0.5.EL.ia64.rpm 3846f3b0cb158cea58d6eadcbbe20e5e kernel-devel-2.6.9-5.0.5.EL.ia64.rpm 8184ecdf261a08faab82207cf5cd0d91 x86_64: kernel-2.6.9-5.0.5.EL.x86_64.rpm a16892ac78518e7a948c71ca07c7c3d5 kernel-devel-2.6.9-5.0.5.EL.x86_64.rpm e4f614a057827048bafa5b5f4f8848ba kernel-smp-2.6.9-5.0.5.EL.x86_64.rpm 39eacfa87d106fee7705e335f72722ca kernel-smp-devel-2.6.9-5.0.5.EL.x86_64.rpm 90c6bb332096064e2283e5849d3060fa Red Hat Enterprise Linux WS (v. 4) SRPMS: kernel-2.6.9-5.0.5.EL.src.rpm 5c195d29285c007e9d24c62c83dcb912 IA-32: kernel-2.6.9-5.0.5.EL.i686.rpm 9664da40e572449a6847e93182a32c3c kernel-devel-2.6.9-5.0.5.EL.i686.rpm 99f0ef2ce199e67f2933e2740f4d64d5 kernel-doc-2.6.9-5.0.5.EL.noarch.rpm 405f5d5be5119e38e9eba7fb6c1d5e17 kernel-hugemem-2.6.9-5.0.5.EL.i686.rpm ac8ddc9ece5c9d0a5d2d5aa632354b74 kernel-hugemem-devel-2.6.9-5.0.5.EL.i686.rpm eacb127a2036da6c096bdc7e65d65fc5 kernel-smp-2.6.9-5.0.5.EL.i686.rpm 9327533de8bda32cd822a3641a4ba7b4 kernel-smp-devel-2.6.9-5.0.5.EL.i686.rpm 3ddb05a05f268170d0362f88803ca333 IA-64: kernel-2.6.9-5.0.5.EL.ia64.rpm 3846f3b0cb158cea58d6eadcbbe20e5e kernel-devel-2.6.9-5.0.5.EL.ia64.rpm 8184ecdf261a08faab82207cf5cd0d91 x86_64: kernel-2.6.9-5.0.5.EL.x86_64.rpm a16892ac78518e7a948c71ca07c7c3d5 kernel-devel-2.6.9-5.0.5.EL.x86_64.rpm e4f614a057827048bafa5b5f4f8848ba kernel-smp-2.6.9-5.0.5.EL.x86_64.rpm 39eacfa87d106fee7705e335f72722ca kernel-smp-devel-2.6.9-5.0.5.EL.x86_64.rpm 90c6bb332096064e2283e5849d3060fa (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 147468 - CAN-2005-0449 Possible remote Oops/firewall bypass - kABI breaker 148868 - CAN-2005-0135 ia64 local DoS 148878 - CAN-2005-0207 nfs client O_DIRECT oops 149466 - CAN-2005-0529 Sign handling issues on v2.6 (CAN-2005-0530 CAN-2005-0531) 149589 - CAN-2005-0209 netfilter SKB problem 151240 - CAN-2005-0384 pppd remote DoS 151249 - CAN-2005-0736 epoll overflow 151902 - CAN-2005-0767 drm race in radeon 152177 - CAN-2005-0750 bluetooth security flaw 152399 - CAN-2005-0400 ext2 mkdir() directory entry random kernel memory leak 152405 - CAN-2005-0815 isofs range checking flaws 152410 - CAN-2005-0749 load_elf_library possible DoS 152417 - CAN-2005-0839 N_MOUSE line discipline flaw 152561 - CAN-2005-0977 tmpfs truncate bug 154219 - CAN-2005-0867 sysfs signedness problem 154551 - CAN-2005-1041 crash while reading /proc/net/route References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0135 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0384 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0400 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0529 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0530 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0531 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0736 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0749 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0750 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0767 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0815 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0839 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0867 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0977 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1041 Keywords errata, kernel, nahant These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat Security Advisory RHSA-2005:366-19 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-178: Vulnerability in Message Queuing (892944) P-179: Vulnerability in Windows Shell (893086) P-180: Vulnerabilities in Windows Kernel (890859) P-181: Cisco Products Vulnerable to DoS via Crafted ICMP Messages P-182: Oracle Critical Patch Update - April 2005 P-183: The Sun ONE and JES Directory Server Contain a Buffer Overflow involving LDAP P-184: libexif P-185: Apple Mac OS X v10.3.9 Security Update P-186: Possible Network Port Theft in Solaris P-187: Sun Java System Web Proxy Server Vulnerability