The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.

Several serious problems have been discovered in the Linux kernel.
This update takes care of Linux 2.4.16 for the ARM architecture. The Common Vulnerabilities and Exposures project identifies the following problems that will be fixed with this update :

  - CAN-2003-0127     The kernel module loader allows local users to gain root     privileges by using ptrace to attach to a child process     that is spawned by the kernel.

  - CAN-2004-0003

    A vulnerability has been discovered in the R128 DRI     driver in the Linux kernel which could potentially lead     an attacker to gain unauthorised privileges. Alan Cox     and Thomas Biege developed a correction for this.

  - CAN-2004-0010

    Arjan van de Ven discovered a stack-based buffer     overflow in the ncp_lookup function for ncpfs in the     Linux kernel, which could lead an attacker to gain     unauthorised privileges. Petr Vandrovec developed a     correction for this.

  - CAN-2004-0109

    zen-parse discovered a buffer overflow vulnerability in     the ISO9660 filesystem component of Linux kernel which     could be abused by an attacker to gain unauthorised root     access. Sebastian Krahmer and Ernie Petrides developed a     correction for this.

  - CAN-2004-0177

    Solar Designer discovered an information leak in the     ext3 code of Linux. In a worst case a local attacker     could obtain sensitive information (such as     cryptographic keys in another worst case) which would     otherwise never hit disk media. Theodore Ts'o developed     a correction for this.

  - CAN-2004-0178

    Andreas Kies discovered a denial of service condition in     the Sound Blaster driver in Linux. He also developed a     correction for this.

These problems are also fixed by upstream in Linux 2.4.26 and will be fixed in Linux 2.6.6.

The following security matrix explains which kernel versions for which architectures are already fixed and which will be removed instead.

  Architecture    stable (woody)  unstable (sid)    source          2.4.16-1woody2  2.4.25-3          arm/patch       20040419        20040316          arm/lart        20040419        2.4.25-4          arm/netwinder   20040419        2.4.25-4          arm/riscpc      20040419        2.4.25-4

The IA-64 maintainers fixed several security related bugs in the Linux kernel 2.4.17 used for the IA-64 architecture, mostly by backporting fixes from 2.4.18. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project :

  - CAN-2003-0001 :
    Multiple ethernet network interface card (NIC) device     drivers do not pad frames with null bytes, which allows     remote attackers to obtain information from previous     packets or kernel memory by using malformed packets, as     demonstrated by Etherleak.

  - CAN-2003-0018 :

    Linux kernel 2.4.10 through 2.4.21-pre4 does not     properly handle the O_DIRECT feature, which allows local     attackers with write privileges to read portions of     previously deleted files, or cause file system     corruption.

  - CAN-2003-0127 :

    The kernel module loader in Linux kernel 2.2.x before     2.2.25, and 2.4.x before 2.4.21, allows local users to     gain root privileges by using ptrace to attach to a     child process which is spawned by the kernel.

  - CAN-2003-0461 :

    The virtual file /proc/tty/driver/serial in Linux 2.4.x     reveals the exact number of characters used in serial     links, which could allow local users to obtain     potentially sensitive information such as the length of     passwords.

  - CAN-2003-0462 :

    A race condition in the way env_start and env_end     pointers are initialized in the execve system call and     used in fs/proc/base.c on Linux 2.4 allows local users     to cause a denial of service (crash).

  - CAN-2003-0476 :

    The execve system call in Linux 2.4.x records the file     descriptor of the executable process in the file table     of the calling process, which allows local users to gain     read access to restricted file descriptors.

  - CAN-2003-0501 :

    The /proc filesystem in Linux allows local users to     obtain sensitive information by opening various entries     in /proc/self before executing a setuid program, which     causes the program to fail to change the ownership and     permissions of those entries.

  - CAN-2003-0550 :

    The STP protocol, as enabled in Linux 2.4.x, does not     provide sufficient security by design, which allows     attackers to modify the bridge topology.

  - CAN-2003-0551 :

    The STP protocol implementation in Linux 2.4.x does not     properly verify certain lengths, which could allow     attackers to cause a denial of service.

  - CAN-2003-0552 :

    Linux 2.4.x allows remote attackers to spoof the bridge     Forwarding table via forged packets whose source     addresses are the same as the target.

  - CAN-2003-0961 :

    An integer overflow in brk system call (do_brk function)     for Linux kernel 2.4.22 and earlier allows local users     to gain root privileges.

  - CAN-2003-0985 :

    The mremap system call (do_mremap) in Linux kernel 2.4     and 2.6 does not properly perform boundary checks, which     allows local users to cause a denial of service and     possibly gain privileges by causing a remapping of a     virtual memory area (VMA) to create a zero length VMA.

A number of vulnerabilities have been discovered in the Linux kernel.

  - CAN-2002-1380: Linux kernel 2.2.x allows local users to     cause a denial of service (crash) by using the mmap()     function with a PROT_READ parameter to access     non-readable memory pages through the /proc/pid/mem     interface.
  - CVE-2002-0429: The iBCS routines in     arch/i386/kernel/traps.c for Linux kernels 2.4.18 and     earlier on x86 systems allow local users to kill     arbitrary processes via a binary compatibility interface     (lcall)

  - CAN-2003-0001: Multiple ethernet Network Interface Card     (NIC) device drivers do not pad frames with null bytes,     which allows remote attackers to obtain information from     previous packets or kernel memory by using malformed     packets

  - CAN-2003-0127: The kernel module loader allows local     users to gain root privileges by using ptrace to attach     to a child process that is spawned by the kernel

  - CAN-2003-0244: The route cache implementation in Linux     2.4, and the Netfilter IP conntrack module, allows     remote attackers to cause a denial of service (CPU     consumption) via packets with forged source addresses     that cause a large number of hash table collisions     related to the PREROUTING chain

  - CAN-2003-0246: The ioperm system call in Linux kernel     2.4.20 and earlier does not properly restrict     privileges, which allows local users to gain read or     write access to certain I/O ports.

  - CAN-2003-0247: vulnerability in the TTY layer of the     Linux kernel 2.4 allows attackers to cause a denial of     service ('kernel oops')

  - CAN-2003-0248: The mxcsr code in Linux kernel 2.4 allows     attackers to modify CPU state registers via a malformed     address.

  - CAN-2003-0364: The TCP/IP fragment reassembly handling     in the Linux kernel 2.4 allows remote attackers to cause     a denial of service (CPU consumption) via certain     packets that cause a large number of hash table     collisions

This advisory provides updated 2.2.20 kernel source, and binary kernel images for the i386 architecture. Other architectures and kernel versions will be covered by separate advisories.

A number of vulnerabilities have been discovered in the Linux kernel.

  - CVE-2002-0429: The iBCS routines in     arch/i386/kernel/traps.c for Linux kernels 2.4.18 and     earlier on x86 systems allow local users to kill     arbitrary processes via a binary compatibility interface     (lcall)
  - CAN-2003-0001: Multiple ethernet Network Interface Card     (NIC) device drivers do not pad frames with null bytes,     which allows remote attackers to obtain information from     previous packets or kernel memory by using malformed     packets

  - CAN-2003-0127: The kernel module loader allows local     users to gain root privileges by using ptrace to attach     to a child process that is spawned by the kernel

  - CAN-2003-0244: The route cache implementation in Linux     2.4, and the Netfilter IP conntrack module, allows     remote attackers to cause a denial of service (CPU     consumption) via packets with forged source addresses     that cause a large number of hash table collisions     related to the PREROUTING chain

  - CAN-2003-0246: The ioperm system call in Linux kernel     2.4.20 and earlier does not properly restrict     privileges, which allows local users to gain read or     write access to certain I/O ports.

  - CAN-2003-0247: vulnerability in the TTY layer of the     Linux kernel 2.4 allows attackers to cause a denial of     service ('kernel oops')

  - CAN-2003-0248: The mxcsr code in Linux kernel 2.4 allows     attackers to modify CPU state registers via a malformed     address.

  - CAN-2003-0364: The TCP/IP fragment reassembly handling     in the Linux kernel 2.4 allows remote attackers to cause     a denial of service (CPU consumption) via certain     packets that cause a large number of hash table     collisions

This advisory provides corrected source code for Linux 2.4.17, and corrected binary kernel images for the mips and mipsel architectures.
Other versions and architectures will be covered by separate advisories.

A number of vulnerabilities have been discovered in the Linux kernel.

CVE-2002-0429: The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a binary compatibility interface (lcall).

CAN-2003-0001: Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets.

CAN-2003-0127: The kernel module loader allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.

CAN-2003-0244: The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain.

CAN-2003-0246: The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.

CAN-2003-0247: Vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ('kernel oops').

CAN-2003-0248: The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address.

CAN-2003-0364: The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions.

This advisory covers only the powerpc architecture. Other architectures will be covered by separate advisories.

A number of vulnerabilities have been discovered in the Linux kernel.

CVE-2002-0429: The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a binary compatibility interface (lcall).

CAN-2003-0001: Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets.

CAN-2003-0127: The kernel module loader allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.

CAN-2003-0244: The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain.

CAN-2003-0246: The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.

CAN-2003-0247: Vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ('kernel oops').

CAN-2003-0248: The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address.

CAN-2003-0364: The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions.

This advisory covers only the i386 (Intel IA32) architectures. Other architectures will be covered by separate advisories.

The kernel module loader in Linux 2.2 and Linux 2.4 kernels has a flaw in ptrace. This hole allows local users to obtain root privileges by using ptrace to attach to a child process that is spawned by the kernel. Remote exploitation of this hole is not possible.

This advisory only covers kernel packages for the S/390 architecture.
Other architectures will be covered by separate advisories.

The kernel module loader in Linux 2.2 and Linux 2.4 kernels has a flaw in ptrace. This hole allows local users to obtain root privileges by using ptrace to attach to a child process that is spawned by the kernel. Remote exploitation of this hole is not possible.

This advisory only covers kernel packages for the big and little endian MIPS architectures. Other architectures will be covered by separate advisories.

A number of vulnerabilities have been found in the Linux 2.2 kernel that have been addressed with the latest 2.2.25 release.

A bug in the kernel module loader code could allow a local user to gain root privileges. This is done by a local user using ptrace and attaching to a modprobe process that is spawned if the user triggers the loading of a kernel module.

A temporary workaround can be used to defend against this flaw. It is possible to temporarily disable the kmod kernel module loading subsystem in the kernel after all of the required kernel modules have been loaded. Be sure that you do not need to load additional kernel modules after implementing this workaround. To use it, as root execute :

echo /no/such/file >/proc/sys/kernel/modprobe

To automate this, you may wish to add it as the last line of the /etc/rc.d/rc.local file. You can revert this change by replacing the content '/sbin/modprobe' in the /proc/sys/kernel/modprobe file. The root user can still manually load kernel modules with this workaround in place.

As well, multiple ethernet device drivers do not pad frames with null bytes, which could allow remote attackers to obtain information from previous packets or kernel memory by using malformed packets.

Finally, the 2.2 kernel allows local users to cause a crash of the host system by using the mmap() function with a PROT_READ parameter to access non-readable memory pages through the /proc/pid/mem interface.

All users are encouraged to upgrade to the latest kernel version provided.

For instructions on how to upgrade your kernel in Mandrake Linux, please refer to :

http://www.mandrakesecure.net/en/kernelupdate.php

A bug in the kernel module loader code could allow a local user to gain root privileges. This is done by a local user using ptrace and attaching to a modprobe process that is spawned if the user triggers the loading of a kernel module.

A temporary workaround can be used to defend against this flaw. It is possible to temporarily disable the kmod kernel module loading subsystem in the kernel after all of the required kernel modules have been loaded. Be sure that you do not need to load additional kernel modules after implementing this workaround. To use it, as root execute :

echo /no/such/file >/proc/sys/kernel/modprobe

To automate this, you may wish to add it as the last line of the /etc/rc.d/rc.local file. You can revert this change by replacing the content '/sbin/modprobe' in the /proc/sys/kernel/modprobe file. The root user can still manually load kernel modules with this workaround in place.

This update applies a patch to correct the problem. All users should upgrade. Please note that the Mandrake Linux 9.1 kernel already has this patch, and an updated kernel for Mandrake Linux 8.2 will be available shortly.

For instructions on how to upgrade your kernel in Mandrake Linux, please refer to :

http://www.mandrakesecure.net/en/kernelupdate.php

Update :

Kernels are now available for Mandrake Linux 8.2, 8.2/PPC, and Multi- Network Firewall 8.2.

As well, the previously noted instructions for temporarily working around the vulnerability are not completely accurate as they only defend against a certain type of attack making use of this problem.
Users should upgrade to the update kernels, however if you are unable to upgrade you may wish to look into the self-compiled no-ptrace-module.c[1] that is loaded into a running kernel.

The remote host is missing the patch for the advisory SUSE-SA:2003:021 (kernel).


The Linux kernel has a security flaw in all versions used on SUSE products excluding the upcoming SUSE LINUX 8.2 distribution. The flaw is known as ptrace/modprobe bug: The local attacker can use ptrace and attach to a modprobe process that is spawned if the user triggers the loading of a kernel module using the kmod kernel module subsystem.
This can be done by asking for network protocols that are supplied by kernel modules which are not loaded (yet). The vulnerability allows the attacker to execute arbitrary commands as root.

Updated kernel packages are now available that fix a ptrace-related vulnerability which can lead to elevated (root) privileges.

The Linux kernel handles the basic functions of the operating system.
A vulnerability has been found in version 2.4.18 of the kernel.

This vulnerability allows a local user to gain elevated (root) privileges without authorization.

All users should upgrade to these errata packages, which contain patches to fix the vulnerability.

Updated kernel packages are now available that fix a ptrace-related
vulnerability which can lead to elevated (root) privileges.

The Linux kernel handles the basic functions of the operating system.
A vulnerability has been found in version 2.4.18 of the kernel.

This vulnerability allows a local user to gain elevated (root)
privileges without authorization.

All users should upgrade to these errata packages, which contain
patches to fix the vulnerability.

ID	Name	Product	Family	Severity
15332	Debian DSA-495-1 : linux-kernel-2.4.16-arm - several vulnerabilities	Nessus	Debian Local Security Checks	high
15260	Debian DSA-423-1 : linux-kernel-2.4.17-ia64 - several vulnerabilities	Nessus	Debian Local Security Checks	high
15173	Debian DSA-336-1 : linux-kernel-2.2.20 - several vulnerabilities	Nessus	Debian Local Security Checks	critical
15169	Debian DSA-332-1 : linux-kernel-2.4.17 - several vulnerabilities	Nessus	Debian Local Security Checks	critical
15149	Debian DSA-312-1 : kernel-patch-2.4.18-powerpc - several vulnerabilities	Nessus	Debian Local Security Checks	critical
15148	Debian DSA-311-1 : linux-kernel-2.4.18 - several vulnerabilities	Nessus	Debian Local Security Checks	critical
15113	Debian DSA-276-1 : linux-kernel-s390 - local privilege escalation	Nessus	Debian Local Security Checks	high
15107	Debian DSA-270-1 : linux-kernel-mips - local privilege escalation	Nessus	Debian Local Security Checks	high
14023	Mandrake Linux Security Advisory : kernel22 (MDKSA-2003:039)	Nessus	Mandriva Local Security Checks	high
14022	Mandrake Linux Security Advisory : kernel (MDKSA-2003:038-1)	Nessus	Mandriva Local Security Checks	high
13791	SUSE-SA:2003:021: kernel	Nessus	SuSE Local Security Checks	high
12381	RHEL 2.1 : kernel (RHSA-2003:103)	Nessus	Red Hat Local Security Checks	high
801577	Red Hat 2003-103 Security Check	Log Correlation Engine	Generic	high

Detections

Analytics

CVE-2003-0127

high

Tenable Plugins

high

high

critical

critical

critical

critical

high

high

high

high

high

high

high