Re: CAN-2005-2555: 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability
On Sun, Aug 21, 2005 at 09:56:54AM -0500, Micah wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hey all,
>
> CAN-2005-2555[1] reads:
>
> Linux kernel 2.6.x does not properly restrict socket policy access to
> users with the CAP_NET_ADMIN capability, which could allow local users
> to conduct unauthorized activities via (1) ipv4/ip_sockglue.c and (2)
> ipv6/ipv6_sockglue.c.
>
> A flaw was discovered where xfrm_user_policy was not protected by
> CAP_NET_ADMIN. A local unprivileged user could use this flaw to bypass
> or create IPSEC policies. This is not believed to allow privilege
> escalation, but could lead to a denial of service (since there is no
> upper bounds on creating policies).
>
> This issue doesn't affect 2.4, unless there was a backport of this
> functionality.
>
> There appears to be fixes[2],[3],[4] available.
>
> 1.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2555
> 2.http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6fc0b4a7a73a81e74d0004732df358f4f9975be2
> 3.http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6fc0b4a7a73a81e74d0004732df358f4f9975
> 4.http://linux.bkbits.net:8080/linux-2.6/cset@42f783aesxFQlEEg0e9GPi4oeVDHbA
>
> Micah
Hi Micah,
Thanks as always.
I have added [X] to SVN.
- In the linux-2.6 directory in trunk
*This should appear in linux-2.6 2.6.12-6 in unstable.
- In the linux-2.6-devel (perhaps renamed linux-2.6-experimental by now)
directory
- The sarge-security 2.6.8 branch
* It should appear in kernel-source-2.6.8 2.6.8-16sarge2 in sarge-security
(still working on how the security and kernel team can do this)
- The sarge 2.6.8 branch
- The sarge-security 2.4.27 branch
* It should appear in kernel-source-2.4.27 2.4.27-10sarge2 in sarge-security
(again, still working on how the security and kernel team can do this)
- The 2.4.27 directory in trunk
* This should appear as kernel-source-2.4.27 2.6.12-12 in unstable
Man, thats too many branches to be adding stuff to.
Need to do something about that.
[X] http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=6fc0b4a7a73a81e74d0004732df358f4f9975be2;hp=534afb90a9cd0b9643f62d660c164e1d924f39cf
--
Horms
Reply to: