Date: Wed, 23 Apr 2014 12:27:51 -0400 (EDT) From: cve-assign@...re.org To: luto@...capital.net Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE-2014-0181: Linux network reconfiguration due to incorrect netlink checks -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > It is possible to reconfigure the network on Linux by calling write(2) > on an appropriately connected netlink socket. By passing such a > socket as stdout or stderr to a setuid program, anyone can reconfigure > the network. > http://marc.info/?l=linux-netdev&m=139820127225921&w=2 > Andy Lutomirski when looking at the networking stack noticed that it is > possible to trick privileged processes into calling write on a netlink > socket and send netlink messages they did not intend. > > In particular from time to time there are suid applications that will > write to stdout or stderr without checking exactly what kind of file > descriptors those are and can be tricked into acting as a limited form > of suid cat. In other conversations the magic string CVE-2014-0818 has > been used to talk about this issue. First, CVE-2014-0818 is not the correct CVE ID. CVE-2014-0818 is associated only with a vulnerability in AutoCAD. A CVE ID of CVE-2014-0181 was in the Subject line. Also, there are two messages that discuss apparently distinct types of security issues, suggesting that two or more CVE IDs may be needed: http://marc.info/?l=linux-netdev&m=139820138225967&w=2 "The caller needs capabilities on the namespace being queried, not on their own namespace. This is a security bug, although it likely has only a minor impact." (The patch is in the packet_diag_dump function in net/packet/diag.c, but the issue originally was in the sock_diag_put_filterinfo function in net/core/sock_diag.c.) http://marc.info/?l=linux-netdev&m=139820147526004&w=2 "verify that the opener of the socket had the desired permissions as well" - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTV+jvAAoJEKllVAevmvmsR6oH/0AlC8kHSHbG1bMA8LR1zuGi dql/ePdiy0xZCaXK/2qjKmwF+F6DwYukmLqZsnpxhKPZImjTnTsK/Ij7fxID6sH2 b8YfB3H9ZmTjsh6q1SKXcj+vXphORktcrL0KjpgfGRQGexEa95o+1j0Vlrpk+Jdt +g6RWUrVRFanBF+zE3DNSPI4Pza4BB+XoOrjEAVfp1AmizbObzaazY+UOQKZDi6m FzmjErQtqViG0YMV7h8b1ktHF8+RjVT2cvFCPYs4Gmae7WOXiPxN+dngkvtJGQg7 1nH2jQOd6FhIN4HWLiL1xSTlst3bATxntC6aOPyx+KnFxQIomCMocS/6UecRWbI= =XHpW -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ