linuxkernel 2.6.33 rc4 dns_resolver upcall security issue

2010.09.14
Credit: Eugene Teo
Risk: Low
Local: Yes
Remote: No
CVE: CVE-2010-2524
CWE: NVD-CWE-DesignError


CVSS Base Score: 4.4/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

CIFS has the ability to chase MS-DFS referrals. In order to do this it has to be able to resolve hostnames into IP addresses. For this, it uses the keys API to upcall to the cifs.upcall userspace helper. It then resolves the name and hands the address back to the kernel. The dns_resolver upcall currently used by CIFS is susceptible to cache stuffing. It's possible for a malicious user to stuff the keyring with the results of a lookup, and then trick the server into mounting a server of his choosing. I have assigned this with CVE-2010-2524. To be susceptible to this, you need CONFIG_CIFS_DFS_UPCALL enabled. Interesting bug. https://bugzilla.redhat.com/CVE-2010-2524 Upstream commit: http://git.kernel.org/linus/4c0c03ca54f72fdd5912516ad0a23ec5cf01bda7

References:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4c0c03ca54f72fdd5912516ad0a23ec5cf01bda7
https://bugzilla.redhat.com/show_bug.cgi?id=612166
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35
http://marc.info/?l=oss-security&m=128080755321157&w=2
http://marc.info/?l=oss-security&m=128078387328921&w=2
http://marc.2000info/?l=oss-security&m=128072090331700&w=2


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top