The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Linux kernel: privilege elevation via syscall on x86_64

Synthesis of the vulnerability

On a x86_64 architecture, a local attacker can use, among others, getsockopt() in a 32 bit process in order to elevate his privileges.
Severity of this alert: 2/4.
Creation date: 16/09/2010.
Références of this alert: 634457, BID-43239, CERTA-2010-AVI-570, CVE-2010-3081, DSA-2110-1, FEDORA-2010-14832, FEDORA-2010-14878, FEDORA-2010-14890, MDVSA-2010:188, MDVSA-2010:198, MDVSA-2010:214, MDVSA-2010:247, openSUSE-SU-2010:0654-1, openSUSE-SU-2010:0655-1, openSUSE-SU-2010:0664-1, openSUSE-SU-2010:0720-1, RHSA-2010:0704-01, RHSA-2010:0705-01, RHSA-2010:0711-01, RHSA-2010:0718-01, RHSA-2010:0719-01, RHSA-2010:0758-01, RHSA-2010:0842-01, RHSA-2010:0882-01, SSA:2010-265-01, SUSE-SA:2010:043, SUSE-SA:2010:044, SUSE-SA:2010:045, SUSE-SA:2010:046, SUSE-SA:2010:047, SUSE-SA:2010:050, SUSE-SA:2011:007, SUSE-SR:2010:017, SUSE-SU-2011:0635-1, SUSE-SU-2011:0928-1, VIGILANCE-VUL-9947, VMSA-2010-0017, VMSA-2010-0017.1, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The Linux kernel can run 32 bits programs on a x86_64 platform.

The getsockopt() function obtains information about a socket. It do a system call in order to do its task.

When a 32 bit application do a system call, a user memory buffer is allocated by the compat_alloc_user_space() function of the file kernel/compat.c. However, compat_alloc_user_space() does not properly check the size of the buffer to allocate. A portion of it can therefore be localed in the kernel space.

A local attacker can therefore use getsockopt() in a 32 bit process in order to elevate his privileges.
Full Vigil@nce bulletin... (Request your free trial)

This computer weakness alert impacts software or systems such as Debian, Fedora, Linux, Mandriva Linux, openSUSE, RHEL, Slackware, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.

Our Vigil@nce team determined that the severity of this weakness note is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this weakness bulletin.

Solutions for this threat

Linux kernel: version 2.6.36.
The version 2.6.36 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/

Linux kernel: version 2.6.35.5.
Version 2.6.35.5 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/

Linux kernel: version 2.6.32.22.
Version 2.6.32.22 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/

Linux kernel: version 2.6.27.54.
Version 2.6.27.54 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/

Linux kernel: patch.
A patch is available in information sources.

Linux kernel: workaround for syscall on x86_64.
A workaround is to disable the execution of 32 bit programs:
  echo ':32bits:M:0:\x7fELF\x01::/bin/echo:' > /proc/sys/fs/binfmt_misc/register

Debian: new linux-2.6 packages.
New packages are available:
  http://security.debian.org/pool/updates/main/l/linux-2.6/linux-*-2.6.26_2.6.26-25lenny1_*.deb

Fedora 12: new kernel packages.
New packages are available:
  kernel-2.6.32.21-168.fc12

Fedora 13: new kernel packages (21/09/2010).
New packages are available:
  kernel-2.6.34.7-56.fc13

Fedora 14: new kernel packages.
New packages are available:
  kernel-2.6.35.4-28.fc14

Mandriva 2009.0: new kernel packages.
New packages are available:
  Mandriva Linux 2009.0: kernel-2.6.27.53-1mnb2

Mandriva 2010.0: new kernel packages.
New packages are available:
  Mandriva Linux 2010.0: kernel-2.6.31.14-1mnb2

Mandriva 2010.1, MES 5: new kernel packages.
New packages are available:
  Mandriva Linux 2010.1: kernel-2.6.33.7-2mnb-1-1mnb2
  Mandriva Enterprise Server 5: kernel-2.6.27.53-1mnb-1-1mnb2

Mandriva C4: new kernel packages.
New packages are available:
  kernel-2.6.12.42mdk-1-1mdk

openSUSE 11.2: new kernel packages.
New packages are available:
  kernel-*-2.6.31.14-0.1.1

openSUSE 11.3: new kernel packages.
New packages are available:
  kernel-*-2.6.34.7-0.3.1

RHEL 3: new kernel packages.
New packages are available:
  kernel-2.4.21-66.EL

RHEL 4: new kernel packages.
New packages are available:
Red Hat Enterprise Linux version 4:
  kernel-2.6.9-89.29.1.EL
Red Hat Enterprise Linux version 4.7.z:
  kernel-2.6.9-78.0.33.EL

RHEL 5 MRG: new kernel-rt packages.
New packages are available:
MRG Realtime for RHEL 5 Server:
  kernel-rt-2.6.24.7-169.el5rt

RHEL 5: new kernel packages.
New packages are available:
Red Hat Enterprise Linux Desktop (v. 5 client):
Red Hat Enterprise Linux (v. 5 server):
  kernel-2.6.18-194.11.4.el5
Red Hat Enterprise Linux (v. 5.4.z server):
  kernel-2.6.18-164.25.2.el5
Red Hat Enterprise Linux (v. 5.3.z server):
  kernel-2.6.18-128.23.2.el5

RHEL 6: new kernel packages.
New packages are available:
  kernel-2.6.32-71.7.1.el6

Slackware: new kernel packages.
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/linux-2.6.33.4-2/

SLE 10: new kernel packages.
New packages are available, as indicated in information sources.

SLE 11 SP1: new kernel packages.
New packages are available, as indicated in information sources.

SUSE LE 10 SP2: new kernel packages.
New packages are available:
  kernel-2.6.16.60-0.42.11

SUSE LE 11: new kernel packages.
New packages are available, as indicated in information sources.

SUSE LE 9: new kernel packages (23/08/2011).
New packages are available:
http://download.novell.com/patch/finder/?keywords=c05dae2ea95bb787f18166cf12f585e3

SUSE LE RT 11: new kernel-rt packages.
New packages are available:
  SUSE Linux Enterprise Real Time 11 SP1
    http://download.novell.com/patch/finder/?keywords=956b7941659a9a350984b3e4fa8be427

SUSE: new kernel packages.
New packages are available:
  kernel-*-2.6.27.48-0.3.1

SUSE: new packages (21/09/2010).
New packages are available, as indicated in information sources.

VMware: corrected versions.
Following versions are corrected:
VMware vCenter Server 4.1 Update 1 and modules
  http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
  http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html
VMware vCenter Server 4.0 Update 3
  http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
  http://www.vmware.com/support/vsphere4/doc/vsp_vc40_u3_rel_notes.html
ESXi 4.1 Installable Update 1
  http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
  http://downloads.vmware.com/support/vsphere4/doc/vsp_esxi41_u1_rel_notes.html
  http://kb.vmware.com/kb/1027919
ESX 4.1 Update 1
  http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
  http://downloads.vmware.com/support/vsphere4/doc/vsp_esx41_u1_rel_notes.html
  http://kb.vmware.com/kb/1029353
ESXi 4.0
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-274-20110303-677367/ESXi400-201103001.zip
  http://kb.vmware.com/kb/1032823
ESX 4.0
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-273-20110303-574144/ESX400-201103001.zip
  http://kb.vmware.com/kb/1032822

VMware ESX: patch.
A patch is available:
ESX 4.0 :
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-257-20101231-664659/ESX400-201101001.zip
  http://kb.vmware.com/kb/1029426
ESX 4.1 :
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-253-20101122-763417/ESX410-201011001.zip
  http://kb.vmware.com/kb/1029400
Full Vigil@nce bulletin... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides cybersecurity patches. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.