Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 22 Aug 2012 09:20:26 +0200
From: Petr Matousek <pmatouse@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2012-3520 kernel: af_netlink: invalid handling of
 SCM_CREDENTIALS passing

A flaw was found in the way Netlink messages without explicitly set
SCM_CREDENTIALS were delivered. The kernel passes all-zero
SCM_CREDENTIALS ancillary data to the receiver if the sender did not
provide such data, instead of including the correct data from the peer
(as it is the case with AF_UNIX). Programs that set SO_PASSCRED option
on the Netlink socket and rely on SCM_CREDENTIALS for authentication
might accept spoofed messages and perform privileged actions on behalf
of the unprivileged attacker.

Introduced in:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=16e572626961

Upstream fix:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=e0e3cea46d31

Acknowledgements:

Red Hat would like to thank Pablo Neira Ayuso for for reporting this
issue.

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ