Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 23 Apr 2014 12:27:51 -0400 (EDT)
Subject: Re: CVE-2014-0181: Linux network reconfiguration due to incorrect netlink checks

Hash: SHA1

> It is possible to reconfigure the network on Linux by calling write(2)
> on an appropriately connected netlink socket. By passing such a
> socket as stdout or stderr to a setuid program, anyone can reconfigure
> the network.


> Andy Lutomirski when looking at the networking stack noticed that it is
> possible to trick privileged processes into calling write on a netlink
> socket and send netlink messages they did not intend.
> In particular from time to time there are suid applications that will
> write to stdout or stderr without checking exactly what kind of file
> descriptors those are and can be tricked into acting as a limited form
> of suid cat. In other conversations the magic string CVE-2014-0818 has
> been used to talk about this issue.

First, CVE-2014-0818 is not the correct CVE ID. CVE-2014-0818 is
associated only with a vulnerability in AutoCAD. A CVE ID of
CVE-2014-0181 was in the Subject line.

Also, there are two messages that discuss apparently distinct types of
security issues, suggesting that two or more CVE IDs may be needed:
  "The caller needs capabilities on the namespace being queried, not
  on their own namespace. This is a security bug, although it likely
  has only a minor impact." (The patch is in the packet_diag_dump
  function in net/packet/diag.c, but the issue originally was in the
  sock_diag_put_filterinfo function in net/core/sock_diag.c.)
  "verify that the opener of the socket had the desired permissions as

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ