[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] DoS attacks against Linux kernel

To: linux-security@sfu.ca
Subject: [linux-security] DoS attacks against Linux kernel
From: Martin Siegert <siegert@sfu.ca>
Date: Fri, 2 Jul 2004 15:15:26 -0700
User-Agent: Mutt/1.4.1i

Topic
=====
Several vulnerabilities in the Linux kernel allow DoS attacks

Problem Description
===================
There exist several bugs in the Linux kernel that allow a local user
(i.e., a user with an account on the machine) adn in one case a remote
attacker to crash the machine.

1) By using a C program it is possible to trigger a floating point
   exception that puts the kernel into an unusable state.
   (CAN-2004-0554)

2) A vulnerability exists in the e1000 driver for the Linux kernel 2.4.26
   and earlier: The e1000 driver does not properly reset memory or restrict
   the maximum length of a data structure, which can allow a local user to
   read portions of kernel memory (CAN-2004-0535).

3) Numerous problems referencing userspace memory were identified in several
   device drivers (CAN-2004-0495).

4) The netfilter code of the 2.6 kernels allows a remote DoS attack due to
   an incorrect type of a variable. This DoS attack is only possible, if
   the "-p tcp --tcp-option" options in the netfilter firewall are used.

Affected Systems
================
re 1): kernel versions 2.6.6 and earlier
re 2): kernel versions 2.4.26 and earlier
re 3): kernel versions 2.6.6 and earlier
re 4): kernel versions 2.6.x, x < 7

Solution
========
Upgrade to patched version for your distribution.
Note: As far as I can tell not all of the patched kernels listed below
include patches against all of these vulnerabilities.

SuSE
----
the SuSE updates below contain patches against vulnerability 1).

SuSE-8.0
--------
rpm -ivh k_<type>-2.4.18-299.i386.rpm
where <type> is one of deflt, psmp, smp, or i386.

rpm -Fvh kernel-source-2.4.18.SuSE-299.i386.rpm

SuSE-8.1
--------
rpm -ivh k_<type>-2.4.21-226.src.rpm
where <type> is one of deflt, psmp, smp, or athlon.

rpm -Fvh kernel-source-2.4.21-226.i586.rpm

SuSE-8.2
--------
rpm -ivh k_<type>-2.4.20-113.src.rpm
where <type> is one of deflt, psmp, smp, or athlon.

rpm -Fvh kernel-source-2.4.20.SuSE-113.i586.rpm

SuSE-9.0
--------
rpm -ivh k_<type>-2.4.21-226.i586.rpm
where <type> is one of deflt, smp, smp4G, um, or athlon.

rpm -Fvh kernel-source-2.4.21-226.i586.rpm

SuSE-9.1
--------
rpm -ivh kernel-<type>-2.6.5-7.75.i586.rpm
where <type> is one of default, smp, or bigsmp.

rpm -Fvh kernel-source-2.6.5-7.75.i586.rpm

SFU-1.0 (RedHat 7.3)
--------------------
[packages available from ftp://ftp.sfu.ca/pub/linux/1.0/RPMS/]
packages below fix bugs 1-3; RH 7.3 is not affected by 4).

rpm -ivh kernel<type>-2.4.20-33.7.<arch>.rpm
where <type> is either empty or one of -smp or -bigmem, and <arch> is
one of i386, i586, i686, or athlon.

rpm -Fvh kernel-source-2.4.20-33.7.i386.rpm kernel-doc-2.4.20-33.7.i386.rpm

Mandrake
--------
The Mandrake updates contain patches against vulnerabilites 1) and 2).

Mandrake 9.1
------------
rpm -ivh kernel<type>-2.4.21.0.31mdk-1-1mdk.i586.rpm
where <type> is either empty or one of -smp, -secure, or -enterprise.

rpm -Fvh kernel-source-2.4.21-0.31mdk.i586.rpm

Mandrake 9.2
------------
rpm -ivh kernel<type>-2.4.22.35mdk-1-1mdk.i586.rpm
where <type> is either empty or one of -smp, -secure, -enterprise,
-i686-up-4GB, or -p3-smp-64GB.

rpm -Fvh kernel-source-2.4.22-35mdk.i586.rpm

Mandrake 10.0
-------------
rpm -ivh kernel<type>-2.4.25.6mdk-1-1mdk.i586.rpm
or
rpm -ivh kernel<type>-2.6.3.14mdk-1-1mdk.i586.rpm
where <type> is either empty or one of -smp, -secure, -enterprise,
-i686-up-4GB or -p3-smp-64GB.

rpm -Fvh kernel-source-2.4.25-6mdk.i586.rpm
or
rpm -Fvh kernel-source-2.6.3-14mdk.i586.rpm \
         kernel-source-stripped-2.6.3-14mdk.i586.rpm

Fedora 1
--------
packages below fix bugs 1-3; Fedora 1 is not affected by 4).

rpm -ivh kernel<type>-2.4.22-1.2197.nptl.<arch>.rpm
where <type> is either empty or -smp and <arch> is one of i386, i586,
i686, or athlon.

rpm -Fvh kernel-source-2.4.22-1.2197.nptl.i386.rpm \
         kernel-doc-2.4.22-1.2197.nptl.i386.rpm

Fedora 2
--------
packages below fix bugs 1-4.

rpm -ivh kernel<type>-2.6.6-1.435.2.3.nptl.<arch>.rpm
where <type> is either empty or -smp and <arch> is one of i586 or i686.

rpm -Fvh kernel-sourcecode-2.6.6-1.435.2.3.noarch.rpm \
         kernel-doc-2.6.6-1.435.2.3.noarch.rpm

Follow-Ups:
- Re: [linux-security] DoS attacks against Linux kernel
  - From: Martin Siegert <siegert@sfu.ca>

Prev by Date: [linux-security] RedHat 9 support dropped; SuSE-9.1 support added
Next by Date: Re: [linux-security] DoS attacks against Linux kernel
Prev by thread: [linux-security] remote exploit in linpng
Next by thread: Re: [linux-security] DoS attacks against Linux kernel
Index(es):
- Date
- Thread