Dan Rosenberg published a new local root exploit for the kernel,
linked e.g. in this LWN article
and for our german readers on
The exploit itself uses 3 seperate security issues in chain, all
found by Nelson Elhage.
This is the core vulnerability, which can basically turn any user program
triggered Oops into a local privilege escalation. This problem affects
all SUSE Linux Enterprise and openSUSE products (but needs another
problem to trigger it.)
In the published exploit this Oops is caused by:
CVE-2010-3850: Associating a ECONET address with any network
interface. This is possible in older SUSE products before SUSE Linux
Enterprise 11 SP1 and openSUSE 11.2.
CVE-2010-3849: A kernel Oops caused by a NULL pointer dereference in
ECONET. This vulnerability does not affect any SUSE Linux or openSUSE
product, as we do not have the the sub-configuration of ECONET enabled that
are necessary to exploit this.
As the ECONET parts of this exploit are not effective on openSUSE and
SUSE Linux Enterprise, the published exploit will not work as-is.
However, as SUSE kernels are affected by CVE-2010-4258, an exploit could
be written that uses a different method to Oops the kernel.
To mitigate this issue until updates are available, you can switch your
kernel to cause a panic on any Oops by doing as root:
echo 1 > /proc/sys/kernel/panic_on_oops
We will be of course also be releasing updated kernel packages containing