[security-announce] Heads up on new kernel local root exploit
Hi, Dan Rosenberg published a new local root exploit for the kernel, linked e.g. in this LWN article http://lwn.net/Articles/419141/ and for our german readers on http://www.heise.de/newsticker/meldung/OOPS-Root-Rechte-auf-Linux-1149512.ht... The exploit itself uses 3 seperate security issues in chain, all found by Nelson Elhage. CVE-2010-4258[1]: This is the core vulnerability, which can basically turn any user program triggered Oops into a local privilege escalation. This problem affects all SUSE Linux Enterprise and openSUSE products (but needs another problem to trigger it.) In the published exploit this Oops is caused by: CVE-2010-3850[2]: Associating a ECONET address with any network interface. This is possible in older SUSE products before SUSE Linux Enterprise 11 SP1 and openSUSE 11.2. CVE-2010-3849[3]: A kernel Oops caused by a NULL pointer dereference in ECONET. This vulnerability does not affect any SUSE Linux or openSUSE product, as we do not have the the sub-configuration of ECONET enabled that are necessary to exploit this. As the ECONET parts of this exploit are not effective on openSUSE and SUSE Linux Enterprise, the published exploit will not work as-is. However, as SUSE kernels are affected by CVE-2010-4258, an exploit could be written that uses a different method to Oops the kernel. To mitigate this issue until updates are available, you can switch your kernel to cause a panic on any Oops by doing as root: echo 1 > /proc/sys/kernel/panic_on_oops We will be of course also be releasing updated kernel packages containing fixes. Ciao, Marcus [1] http://support.novell.com/security/cve/CVE-2010-4258.html [2] http://support.novell.com/security/cve/CVE-2010-3850.html [3] http://support.novell.com/security/cve/CVE-2010-3849.html
participants (1)
-
Marcus Meissner