Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 23 Apr 2014 12:27:51 -0400 (EDT)
From: cve-assign@...re.org
To: luto@...capital.net
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE-2014-0181: Linux network reconfiguration due to incorrect netlink checks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> It is possible to reconfigure the network on Linux by calling write(2)
> on an appropriately connected netlink socket. By passing such a
> socket as stdout or stderr to a setuid program, anyone can reconfigure
> the network.


> http://marc.info/?l=linux-netdev&m=139820127225921&w=2

> Andy Lutomirski when looking at the networking stack noticed that it is
> possible to trick privileged processes into calling write on a netlink
> socket and send netlink messages they did not intend.
> 
> In particular from time to time there are suid applications that will
> write to stdout or stderr without checking exactly what kind of file
> descriptors those are and can be tricked into acting as a limited form
> of suid cat. In other conversations the magic string CVE-2014-0818 has
> been used to talk about this issue.

First, CVE-2014-0818 is not the correct CVE ID. CVE-2014-0818 is
associated only with a vulnerability in AutoCAD. A CVE ID of
CVE-2014-0181 was in the Subject line.

Also, there are two messages that discuss apparently distinct types of
security issues, suggesting that two or more CVE IDs may be needed:

http://marc.info/?l=linux-netdev&m=139820138225967&w=2
  "The caller needs capabilities on the namespace being queried, not
  on their own namespace. This is a security bug, although it likely
  has only a minor impact." (The patch is in the packet_diag_dump
  function in net/packet/diag.c, but the issue originally was in the
  sock_diag_put_filterinfo function in net/core/sock_diag.c.)

http://marc.info/?l=linux-netdev&m=139820147526004&w=2
  "verify that the opener of the socket had the desired permissions as
  well"

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTV+jvAAoJEKllVAevmvmsR6oH/0AlC8kHSHbG1bMA8LR1zuGi
dql/ePdiy0xZCaXK/2qjKmwF+F6DwYukmLqZsnpxhKPZImjTnTsK/Ij7fxID6sH2
b8YfB3H9ZmTjsh6q1SKXcj+vXphORktcrL0KjpgfGRQGexEa95o+1j0Vlrpk+Jdt
+g6RWUrVRFanBF+zE3DNSPI4Pza4BB+XoOrjEAVfp1AmizbObzaazY+UOQKZDi6m
FzmjErQtqViG0YMV7h8b1ktHF8+RjVT2cvFCPYs4Gmae7WOXiPxN+dngkvtJGQg7
1nH2jQOd6FhIN4HWLiL1xSTlst3bATxntC6aOPyx+KnFxQIomCMocS/6UecRWbI=
=XHpW
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ