GLSA-200407-16 : Linux Kernel: Multiple DoS and permission vulnerabilities

This script is Copyright (C) 2004-2015 Tenable Network Security, Inc.

Synopsis :

The remote Gentoo host is missing one or more security-related

Description :

The remote host is affected by the vulnerability described in GLSA-200407-16
(Linux Kernel: Multiple DoS and permission vulnerabilities)

The Linux kernel allows a local attacker to mount a remote file system
on a vulnerable Linux host and modify files' group IDs. On 2.4 series
kernels this vulnerability only affects shared NFS file systems. This
vulnerability has been assigned CAN-2004-0497 by the Common
Vulnerabilities and Exposures project.
Also, a flaw in the handling of /proc attributes has been found in 2.6
series kernels; allowing the unauthorized modification of /proc
entries, especially those which rely solely on file permissions for
security to vital kernel parameters.
An issue specific to the VServer Linux sources has been found, by which
/proc related changes in one virtual context are applied to other
contexts as well, including the host system.
CAN-2004-0447 resolves a local DoS vulnerability on IA64 platforms
which can cause unknown behaviour and CAN-2004-0565 resolves a floating
point information leak on IA64 platforms by which registers of other
processes can be read by a local user.
Finally, CAN-2004-0496 addresses some more unknown vulnerabilities in
2.6 series Linux kernels older than 2.6.7 which were found by the
Sparse source code checking tool.

Impact :

Bad Group IDs can possibly cause a Denial of Service on parts of a host
if the changed files normally require a special GID to properly
operate. By exploiting this vulnerability, users in the original file
group would also be blocked from accessing the changed files.
The /proc attribute vulnerability allows local users with previously no
permissions to certain /proc entries to exploit the vulnerability and
then gain read, write and execute access to entries.
These new privileges can be used to cause unknown behaviour ranging
from reduced system performance to a Denial of Service by manipulating
various kernel options which are usually reserved for the superuser.
This flaw might also be used for opening restrictions set through /proc
entries, allowing further attacks to take place through another
possibly unexpected attack vector.
The VServer issue can also be used to induce similar unexpected
behaviour to other VServer contexts, including the host. By successful
exploitation, a Denial of Service for other contexts can be caused
allowing only root to read certain /proc entries. Such a change would
also be replicated to other contexts, forbidding normal users on those
contexts to read /proc entries which could contain details needed by
daemons running as a non-root user, for example.
Additionally, this vulnerability allows an attacker to read information
from another context, possibly hosting a different server, gaining
critical information such as what processes are running. This may be
used for furthering the exploitation of either context.
CAN-2004-0447 and CAN-2004-0496 permit various local unknown Denial of
Service vulnerabilities with unknown impacts - these vulnerabilities
can be used to possibly elevate privileges or access reserved kernel
memory which can be used for further exploitation of the system.
CAN-2004-0565 allows FPU register values of other processes to be read
by a local user setting the MFH bit during a floating point operation -
since no check was in place to ensure that the FPH bit was owned by the
requesting process, but only an MFH bit check, an attacker can simply
set the MFH bit and access FPU registers of processes running as other
users, possibly those running as root.

Workaround :

2.4 users may not be affected by CAN-2004-0497 if they do not use
remote network filesystems and do not have support for any such
filesystems in their kernel configuration. All 2.6 users are affected
by the /proc attribute issue and the only known workaround is to
disable /proc support. The VServer flaw applies only to
vserver-sources, and no workaround is currently known for the issue.
There is no known fix to CAN-2004-0447, CAN-2004-0496 or CAN-2004-0565
other than to upgrade the kernel to a patched version.
As a result, all users affected by any of these vulnerabilities should
upgrade their kernels to ensure the integrity of their systems.

See also :

Solution :

Users are encouraged to upgrade to the latest available sources for
their system:
# emerge sync
# emerge -pv your-favorite-sources
# emerge your-favorite-sources
# # Follow usual procedure for compiling and installing a kernel.
# # If you use genkernel, run genkernel as you would do normally.

Risk factor :

High / CVSS Base Score : 7.2

Family: Gentoo Local Security Checks

Nessus Plugin ID: 14549 (gentoo_GLSA-200407-16.nasl)

Bugtraq ID:

CVE ID: CVE-2004-0447

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now