The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Linux kernel: memory reading via ipc

Synthesis of the vulnerability 

A local attacker can use an IPC, in order to read bytes stored in the kernel memory.
Vulnerable products: Debian, Fedora, Linux, NLD, OES, openSUSE, RHEL, SLES, ESX.
Severity of this weakness: 1/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 07/10/2010.
Revision date: 06/09/2011.
Références of this bulletin: BID-43828, BID-43829, BID-45054, BID-45073, CERTA-2002-AVI-272, CVE-2010-4072, CVE-2010-4073, DSA-2126-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, FEDORA-2010-18432, FEDORA-2010-18493, FEDORA-2010-18506, MDVSA-2011:029, MDVSA-2011:051, openSUSE-SU-2010:1047-1, openSUSE-SU-2011:0004-1, openSUSE-SU-2011:0048-1, openSUSE-SU-2011:0346-1, openSUSE-SU-2013:0927-1, RHSA-2010:0958-01, RHSA-2011:0007-01, RHSA-2011:0017-01, RHSA-2011:0162-01, SUSE-SA:2010:060, SUSE-SA:2011:001, SUSE-SA:2011:004, SUSE-SA:2011:007, SUSE-SA:2011:008, SUSE-SA:2011:017, SUSE-SU-2011:0928-1, VIGILANCE-VUL-10008, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability 

Several system calls manage IPC (Inter Process Communication):
 - semctl() : semaphores
 - shmctl() : shared memory
 - msgctl() : messages
However, these functions do not initialize fields of a structure. Previous data are thus transmitted to the user.

The shmctl() function of the ipc/shm.c file does not correctly initialize the shmid_ds structure. [severity:1/4; BID-43829, BID-45054, CVE-2010-4072]

The shmctl(), shmctl() and msgctl() functions of the ipc/compat.c file do not correctly initialize several structures. [severity:1/4; BID-43828, BID-45073, CVE-2010-4073]

A local attacker can therefore use an IPC, in order to read bytes stored in the kernel memory.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity vulnerability impacts software or systems such as Debian, Fedora, Linux, NLD, OES, openSUSE, RHEL, SLES, ESX.

Our Vigil@nce team determined that the severity of this vulnerability is low.

The trust level is of type confirmed by the editor, with an origin of user shell.

This bulletin is about 2 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this weakness alert.

Solutions for this threat 

Linux kernel: version 2.6.37.
The version 2.6.37 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/

Linux kernel: version 2.6.36.2.
The version 2.6.36.2 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/

Linux kernel: version 2.6.33.8.
The version 2.6.33.8 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.33/

Linux kernel: version 2.6.32.27.
The version 2.6.32.27 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/

Linux kernel: version 2.6.27.57.
The version 2.6.27.57 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/

Linux kernel: version 2.4.37.11.
The version 2.4.37.11 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.4/

Linux kernel: patch for ipc.
Two patches are available in information sources.

Debian: new linux-2.6 packages (29/11/2010).
New packages are available:
  http://security.debian.org/pool/updates/main/l/linux-2.6/linux-*_2.6.26-26lenny1_*.deb

Fedora 12: new kernel packages.
New packages are available:
  kernel-2.6.32.26-175.fc12

Fedora 13: new kernel packages.
New packages are available:
  kernel-2.6.34.7-63.fc13

Fedora 14: new kernel packages.
New packages are available:
  kernel-2.6.35.9-64.fc14

Mandriva C4: new kernel packages.
New packages are available:
  Corporate 4.0: kernel-2.6.12.43mdk-1-1mdk

Mandriva ES 5: new kernel packages.
New packages are available:
  Mandriva Enterprise Server 5: kernel-2.6.27.56-2mnb-1-1mnb2

openSUSE 11.1: new kernel packages.
New packages are available:
  openSUSE 11.1 : kernel-default-2.6.27.56-0.1.1

openSUSE 11.2: new kernel packages (18/04/2011).
New packages are available:
  kernel-*-2.6.31.14-0.8.1

openSUSE 11.3: new kernel packages.
New packages are available:
  kernel-*-2.6.34.7-0.7.1

openSUSE 11.4: new kernel-3.0.58 packages (10/06/2013).
New packages are available:
  kernel-3.0.58-30.2

RHEL 4: new kernel packages.
New packages are available:
  kernel-2.6.9-89.35.1.EL

RHEL 5 MRG: new kernel-rt packages.
New packages are available:
MRG Realtime for RHEL 5 Server:
  kernel-rt-2.6.33.7-rt29.47.el5rt

RHEL 5: new kernel packages.
New packages are available:
  kernel-2.6.18-238.el5

RHEL 6: new kernel packages (12/01/2011).
New packages are available:
  kernel-2.6.32-71.14.1.el6

SUSE LE 10: new kernel packages (14/12/2010).
New packages are available:
SUSE Linux Enterprise Desktop 10 SP3 for AMD64 and Intel EM64T
  http://download.novell.com/patch/finder/?keywords=674eb707cae3a31be66788e116641a9a
SUSE Linux Enterprise Server 10 SP3
  http://download.novell.com/patch/finder/?keywords=674eb707cae3a31be66788e116641a9a
  http://download.novell.com/patch/finder/?keywords=8bc9a9f71e0364816351d414eb3c9832
  http://download.novell.com/patch/finder/?keywords=c12e832d9f0b5b30c9d4e408ab99b34d
  http://download.novell.com/patch/finder/?keywords=7a6102f48e04658e517624d16e7806bc
  http://download.novell.com/patch/finder/?keywords=2d433ce13217ec9e95c2b22bce28b8ed
SLE SDK 10 SP3
  http://download.novell.com/patch/finder/?keywords=674eb707cae3a31be66788e116641a9a
  http://download.novell.com/patch/finder/?keywords=c12e832d9f0b5b30c9d4e408ab99b34d
  http://download.novell.com/patch/finder/?keywords=7a6102f48e04658e517624d16e7806bc
  http://download.novell.com/patch/finder/?keywords=2d433ce13217ec9e95c2b22bce28b8ed
SUSE Linux Enterprise Desktop 10 SP3
  http://download.novell.com/patch/finder/?keywords=674eb707cae3a31be66788e116641a9a
  http://download.novell.com/patch/finder/?keywords=2d433ce13217ec9e95c2b22bce28b8ed
SUSE Linux Enterprise Desktop 10 SP3 for x86
  http://download.novell.com/patch/finder/?keywords=2d433ce13217ec9e95c2b22bce28b8ed

SUSE LE 11: new kernel-extra packages (19/01/2011).
New packages are available:
  SLE 11 SERVER Unsupported Extras :
    kernel-*-extra-2.6.32.27-0.2.2

SUSE LE 11: new kernel packages (14/01/2011).
New packages are available, as indicated in information sources.

SUSE LE 9: new kernel packages (11/02/2011).
New packages are available, as indicated in information sources.

SUSE LE 9: new kernel packages (23/08/2011).
New packages are available:
http://download.novell.com/patch/finder/?keywords=c05dae2ea95bb787f18166cf12f585e3

SUSE LE RT 11: new kernel-rt packages.
New packages are available:
  SUSE Linux Enterprise Real Time 11 SP1
    http://download.novell.com/patch/finder/?keywords=956b7941659a9a350984b3e4fa8be427

VMware ESX 4.0: patch ESX400-201110001.
A patch is available:
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-314-20111006-398488/ESX400-201110001.zip
  md5sum: 0ce9cc285ea5c27142c9fdf273443d78
  sha1sum: fdb5482b2bf1e9c97f2814255676e3de74512399
  http://kb.vmware.com/kb/1036391

VMware ESX: version 4.1 Update 2.
The version 4.1 Update 2 is corrected:
  http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1
  http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computers vulnerabilities analysis. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.