[ISN] Researchers Find Serious Vulnerability in Linux Kernel

From: InfoSec News (isn@private)
Date: Tue Dec 02 2003 - 00:53:00 PST

Next message: InfoSec News: "[ISN] Security worries keep many from banking online"

Previous message: InfoSec News: "[ISN] Watching the Net's background radiation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.eweek.com/article2/0,4149,1400446,00.asp

By Dennis Fisher 
December 1, 2003   
 
Security professionals took note of a critical new vulnerability in
the Linux kernel that could enable an attacker to gain root access to
a vulnerable machine and take complete control of it. An unknown
cracker recently used this weakness to compromise several of the
Debian Project's servers, which led to the discovery of the new
vulnerability.

This discovery has broad implications for the Linux community. Because
the flaw is in the Linux kernel itself, the problem affects virtually
every distribution of the operating system and several vendors have
confirmed that their products are vulnerable. The vulnerability is in
all releases of the kernel from Version 2.4.0 through 2.5.69, but has
been fixed in Releases 2.4.23-pre7 and 2.6.0-test6.

The vulnerability itself is an integer overflow in the brk( ) system
call, which is a memory-management function. When the call invokes the
do_brk( ) function, using user-supplied address and length variables,
the call does not check for integer overflows when adding the
variables, according to an analysis of the problem by Symantec Corp.,
based in Cupertino, Calif.

According to Symantec, this weakness would allow any local user with
shell-level access to the system to escalate his privileges to root.  
This would allow the attacker to perform just about any task he chose
on the machine. Symantec warned that the new flaw could be combined
with any number of remote vulnerabilities to allow remote attackers to
gain root access, as well.

RedHat Inc. and the Debian Project, both have released advisories
warning customers of the issue and providing information on fixes. A
slew of products from other vendors, including, MandrakeSoft S.A.,
SuSE Linux AG and Caldera International Inc., also are vulnerable.

According to Symantec's analysis, the exploit that the attacker used
to compromise the Debian servers is not publicly available, but is
apparently circulating in the cracker underground.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] Security worries keep many from banking online"
Previous message: InfoSec News: "[ISN] Watching the Net's background radiation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 02 2003 - 02:45:48 PST