Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

Linux Kernel sock_sendpage() Local Privilege Escalation Vulnerability

 
Threat Type:CWE-264: Permissions, Privileges, and Access Control
IntelliShield ID:18847
Version:14
First Published:2009 August 14 19:02 GMT
Last Published:2010 June 25 14:42 GMT
Port: Not available
CVE:CVE-2009-2692
BugTraq ID:36038
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Moderate Damage
CVSS Base:6.8 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:5.6
 
 
Version Summary:

VMware has released an additional security advisory and updated software to address the Linux Kernel sock_sendpage() local privilege escalation vulnerability.

 
 
Description

The Linux Kernel versions 2.4 through 2.6.30.4 contains a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code with elevated privileges or cause a denial of service (DoS) condition.

The vulnerability is due to insufficient input validation by the sock_sendpage() function.? A local attacker could exploit the vulnerability by running a malicious program.? If successful, the attacker could execute arbitrary code with elevated privileges or cause a DoS condition

Functional exploit code that uses the pulseaudio program to exploit this vulnerability is publicly available.

Kernel.org has confirmed the vulnerability in a changelog and released updated software.

 
Warning Indicators

The Linux Kernel versions 2.4 through 2.6.30.4 are vulnerable.

 
IntelliShield Analysis

An attacker must be able to log on locally and execute a custom application to exploit the vulnerability.? The access requirements will likely restrict exploitation to current users of affected systems and reduce the overall chances for exploitation in most environments.

The systems most at risk are those serving multiple users, particularly hosting providers, where users may attempt to gain elevated privileges to?access?files hosted by other system users.

 
Vendor Announcements

Kernel.org has released a summary of changes at the following link: Kernel 2.6.30.5 - Thu Aug 13 08:28:36 2009 -0700

MontaVista Software has re-released a security alert for registered users on November 30, 2009, at the following link: MontaVista Security Fixes

Red Hat has released security advisories at the following links: RHSA-2009:1222, RHSA-2009:1223, RHSA-2009:1233, RHSA-2009:1239, RHSA-2009:1457, and RHSA-2009:1469

VMware has released security advisories at the following links: VMSA-2009-0016 and VMSA-2010-0010

 
Impact

A local attacker could exploit this vulnerability to execute arbitrary code with elevated privileges or cause a?DoS condition.

 
Technical Information

This vulnerability is due to insufficient validation of input to the sock_sendpage() function.? The function does not safely implement some proto_ops function pointers and fails to validate function pointers before dereferencing a provided pointer.? The processing of an invalid pointer could trigger memory corruption.

A local attacker could exploit the vulnerability by running a malicious program designed to send a call to the vulnerable sock_sendpage() function.? The processing of the call could trigger memory corruption that the attacker could leverage to execute arbitrary code with the privileges of the kernel, or to cause a DoS condition.

 
Safeguards

Administrators are advised to apply the appropriate updates.

Administrators are advised to restrict local access to affected systems to trusted users.

Administrators are advised to monitor affected systems for signs of suspicious activities.

 
Patches/Software

Kernel.org has released an updated version at the following link: Linux Kernel 2.6.30.5

CentOS packages can be updated using the up2date or yum command.

MontaVista Software has released updated software at the following links:

MVL 6
MVL 5
PRO 5.0
PRO 5.0.24
MOBILINUX 5.0
CGE 5.0

Red Hat packages can be updated using the up2date or yum command.

VMware has released updated software at the following links:

ESX 4.0
ESX400-200911201-UG

ESX 3.5
ESX350-201006401-SG

 
Alert History
 

Version 13, December 1, 2009, 8:17 AM: MontaVista has re-released a security alert and updated software to address the Linux Kernel sock_sendpage() local privilege escalation vulnerability.

Version 12, November 24, 2009, 8:07 AM: VMware has released a security advisory and updated software to address the Linux Kernel sock_sendpage() local privilege escalation vulnerability.

Version 11, October 15, 2009, 8:44 AM: MontaVista Software has re-released a security alert and updated software to address the Linux Kernel sock_sendpage() local privilege escalation vulnerability.

Version 10, October 13, 2009, 11:18 AM: MontaVista Software has released an additional security alert and updated software to address the Linux Kernel sock_sendpage() local privilege escalation vulnerability.

Version 9, September 30, 2009, 12:37 PM: Red Hat has released an additional security advisory and updated software to address the Linux Kernel sock_sendpage() local privilege escalation vulnerability.

Version 8, September 22, 2009, 2:33 PM: Red Hat has released an additional security advisory and updated software to address the Linux Kernel sock_sendpage() local privilege escalation vulnerability.

Version 7, September 21, 2009, 7:36 AM: MontaVista has released a security alert and updated software to address the Linux Kernel sock_sendpage() local privilege escalation vulnerability.  Exploit code is publicly available.

Version 6, September 11, 2009, 1:44 PM: Kernel.org had released a changelog and updated software to address the Linux Kernel sock_sendpage() local privilege escalation vulnerability.  Exploit code is publicly available.

Version 5, September  1, 2009, 11:18 AM: Red Hat has released an additional security advisory and updated software to address the Linux Kernel sock_sendpage() local privilege escalation vulnerability.

Version 4, August 29, 2009, 1:43 AM: CentOS has released updated packages to address the Linux Kernel sock_sendpage() local privilege escalation vulnerability.

Version 3, August 29, 2009, 1:18 AM: Red Hat has released an additional security advisory and updated software to address the Linux Kernel sock_sendpage() local privilege escalation vulnerability.

Version 2, August 24, 2009, 11:40 AM: Red Hat has released security advisories and updated software to address the Linux Kernel sock_sendpage() local privilege escalation vulnerability.

Version 1, August 14, 2009, 3:02 PM: The Linux Kernel contains a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code with elevated privileges or cause a denial of service condition.  Stable updates are not available currently.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Linus TorvaldsLinux Kernel 2.4.0 Base | 2.4.1 Base | 2.4.2 Base | 2.4.3 Base | 2.4.4 Base | 2.4.5 Base | 2.4.6 Base | 2.4.7 Base | 2.4.8 Base | 2.4.9 Base | 2.4.10 Base | 2.4.11 Base | 2.4.12 Base | 2.4.13 Base | 2.4.14 Base | 2.4.15 Base | 2.4.16 Base | 2.4.17 Base | 2.4.18 Base | 2.4.19 Base | 2.4.20 Base | 2.4.21 Base | 2.4.22 Base | 2.4.23 Base | 2.4.24 Base | 2.4.25 Base | 2.4.26 Base | 2.4.27 Base | 2.4.28 Base | 2.4.29 Base | 2.4.30 Base | 2.4.31 Base | 2.4.32 Base | 2.4.33 Base, .1, .2, .3, .4, .5, .6, .7 | 2.4.34 Base, .1, .2, .3, .4, .5, .6 | 2.4.35 Base, .1, .2, .3, .4, .5 | 2.4.36 Base, .1, .2, .3, .4, .5, .6, .7, .8, .9 | 2.4.37 .0 | 2.6.0 .0 | 2.6.1 .0 | 2.6.2 .0 | 2.6.3 .0 | 2.6.4 .0 | 2.6.5 .0 | 2.6.6 .0 | 2.6.7 .0 | 2.6.8 .0, .1 | 2.6.9 .0 | 2.6.10 .0 | 2.6.11 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12 | 2.6.12 .0, .1, .2, .3, .4, .5, .6 | 2.6.13 .0, .1, .2, .3, .4, .5 | 2.6.14 .0, .1, .2, .3, .4, .5, .6, .7 | 2.6.15 .0, .1, .2, .3, .4, .5, .6, .7 | 2.6.16 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20, .21, .22, .23, .24, .25, .26, .27, .28, .29, .30, .31, .32, .33, .34, .35, .36, .37, .38, .39, .40, .41, .42, .43, .44, .45, .46, .47, .48, .49, .50, .51, .52, .53, .54, .55, .56, .57, .58, .59, .60, .61, .62 | 2.6.17 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14 | 2.6.18 .0, .1, .2, .3, .4, .5, .6, .7, .8 | 2.6.19 .0, .1, .2, .3, .4, .5, .6, .7 | 2.6.20 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20, .21 | 2.6.21 .0, .1, .2, .3, .4, .5, .6, .7 | 2.6.22 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19 | 2.6.23 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17 | 2.6.24 .0, .1, .2, .3, .4, .5, .6, .7 | 2.6.25 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20 | 2.6.26 .0, .1, .2, .3, .4, .5, .6, .7 | 2.6.27 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20, .21 | 2.6.29 .0, .1, .2, .3 | 2.6.30 Base, .1, .2, .3, .4

Associated Products:
CentOS ProjectCentOS 2 .0 i386 | 3 .0 i386, .0 x86_64, .0 s390x, .0 ia64 | 4 .0 i386, .0 x86_64, .0 ia64, .0 s390x, .1 i386, .1 x86_64, .1 ia64, .1 s390x, .2 i386, .2 x86_64, .2 ia64, .2 s390x, .3 i386, .3 x86_64, .3 ia64, .3 s390x, .4 i386, .4 x86_64, .4 ia64, .4 s390x, .5 i386, .5 x86_64, .5 ia64, .5 s390x, .6 i386, .6 x86_64, .6 ia64, .6 s390x, .7 i386, .7 x86_64 | 5 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64
MontaVistaMontaVista Linux 5 Base | 6 Base | Professional 5.0, 5.0.24 | Mobilinux 5.0 | CGE 5.0
Red Hat, Inc.Red Hat Desktop 3 i386, i686, x86_64 | 4 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux 5 IA-32, IA-64, PPC, ppc64, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Advanced Server 3 amd64 (x86_64), i386, i686, ia64, PPC, s390, s390x, ppc64 | 4 IA-32, IA-64, x86_64, PPC, ppc64, s390, s390x | 4.7.z IA-32, IA-64, PPC, s390, s390x, x86_64, ppc64, ppc64iseries | 4.8.z IA-32, IA-64, x86_64, PPC, ppc64, s390, s390x
Red Hat, Inc.Red Hat Enterprise Linux Desktop 5 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Enterprise Server 3 amd64 (x86_64), i386, i686, ia64 | 4 IA-32, IA-64, x86_64 | 4.7.z IA_32, IA_64, x86_64 | 4.8.z IA-32, IA-64, x86_64
Red Hat, Inc.Red Hat Enterprise Linux EUS (Extended Update Support) 5.2.z IA-32, IA-64, PPC, PPC64, s390x, x86-64 | 5.3.z IA-32, IA-64, PPC, ppc64, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Workstation 3 amd64 (x86_64), i386, i686, ia64 | 4 IA-32, IA-64, x86_64
Red Hat, Inc.Red Hat Enterprise MRG for Enterprise Linux 1 ia-32, x86_64
VMware, Inc.VMware ESX Server 3.0 .3 | 3.5 Base, Update 1, Update 2, Update 3, Update 4 | 4.0 Base




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield