__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Red Hat Updated Kernel Packages Fix Several Vulnerabilities [RHSA-2004:105, RHSA-2004:106, RHSA-2004:166, RHSA-2004:183] April 23, 2004 20:00 GMT Number O-126 [REVISED 17 May 2004] [REVISED 21 Dec 2004] ______________________________________________________________________________ PROBLEM: Red Hat has released several updated kernel packages that fix security vulnerabilities for gaining unauthorized privileges and for information leakage. PLATFORM: Enterprise Linux AS, ES, and WS (v.3) Enterprise Linux AS, ES, and WS (v.2.1) Advanced Workstation 2.1 for the Itanium Processor Linux 9 DAMAGE: Vulnerabilities are listed as follows: - The R128 drive in the Linux kernel that could potentially lead an attacker to gain unauthorized privileges. - A stack-based buffer overflow in the ncp_lookup function for ncpfs in the Linux kernel could lead an attacker to gain unauthorized privileges. - A buffer overflow vulnerability in the ISO9660 filesystem component of Linux kernel could be abused by an attacker to gain unauthorized root access. - An information leak may exist in the ext3 code of Linux that would allow an authorized user to read sensitive data. - A flaw in return value checking in mremap() in kernal versions 2.4.24 and previous may allow a local attacker to gain root privileges. - A flaw in the ip_setsockopt() function code of kernel versions 2.4.22 to 2.4.25 inclusive, and version 2.4.21 of Enterprise Linux 3, may allow a local attacker to gain root privileges. SOLUTION: Apply appropriate updated packages. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The most severe vulnerabilities may allow ASSESSMENT: an unauthorized user to gain root access. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-126.shtml ORIGINAL BULLETINS: https://rhn.redhat.com/errata/RHSA-2004-105.html https://rhn.redhat.com/errata/RHSA-2004-106.html https://rhn.redhat.com/errata/RHSA-2004-166.html https://rhn.redhat.com/errata/RHSA-2004-183.html https://rhn.redhat.com/errata/RHSA-2004-188.html https://rhn.redhat.com/errata/RHSA-2004-504.html https://rhn.redhat.com/errata/RHSA-2004-505.html CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0177 CAN-2004-0109 CAN-2004-0077 CAN-2004-0010 CAN-2004-0003 CAN-2002-1574 ______________________________________________________________________________ REVISION HISTORY: 05/17/04 - Added link to RHSA-2004-188 which also released patches for some of the same issues as on this bulletin. 12/21/04 - added link information to Red Hat Advisories: RHSA-2004:504-13 / Itanium packages RHSA-2004:505-14 / kernel packages [***** Start RHSA-2004:183 *****] Updated kernel packages fix security vulnerabilities Advisory: RHSA-2004:183-03 Last updated on: 2004-04-22 Affected Products: Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 3) CVEs (cve.mitre.org): CAN-2004-0109 CAN-2004-0424 Security Advisory Details: Updated kernel packages that fix two privilege escalation vulnerabilities are now available. The Linux kernel handles the basic functions of the operating system. iSEC Security Research discovered a flaw in the ip_setsockopt() function code of the Linux kernel versions 2.4.22 to 2.4.25 inclusive. This flaw also affects the 2.4.21 kernel in Red Hat Enterprise Linux 3 which contained a backported version of the affected code. A local user could use this flaw to gain root privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0424 to this issue. iDefense reported a buffer overflow flaw in the ISO9660 filesystem code. An attacker could create a malicious filesystem in such a way that root privileges may be obtained if the filesystem is mounted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0109 to this issue. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Updated packages: Red Hat Enterprise Linux AS (v. 3) ----------------------------------------------------------------------------- SRPMS: kernel-2.4.21-9.0.3.EL.src.rpm 75e184e496f05cd18eea12a94a45d992 athlon: kernel-2.4.21-9.0.3.EL.athlon.rpm 747381f00d4483d2b680d81a79ee87d0 kernel-smp-2.4.21-9.0.3.EL.athlon.rpm 4419e2bc38199f6e108c87c34c29c77f kernel-smp-unsupported-2.4.21-9.0.3.EL.athlon.rpm c40f0b228e80bd863eeba517a05909c8 kernel-unsupported-2.4.21-9.0.3.EL.athlon.rpm 5fef3bbf1605baaea07bd77ff96fff79 i386: kernel-BOOT-2.4.21-9.0.3.EL.i386.rpm 9d44d75032a22e1bafe070cbf83abea3 kernel-doc-2.4.21-9.0.3.EL.i386.rpm 090afc63ecd3b2dd68e76c25c428c0c3 kernel-source-2.4.21-9.0.3.EL.i386.rpm 52678a51fc609431df2d2c7ec3d66396 i686: kernel-2.4.21-9.0.3.EL.i686.rpm 0f0d28e815672056c265bc5d95a26b04 kernel-hugemem-2.4.21-9.0.3.EL.i686.rpm 15edf9ad36ad8ab7655025be9c68149b kernel-hugemem-unsupported-2.4.21-9.0.3.EL.i686.rpm be46b5651aea10e71f8ce5cd403e5597 kernel-smp-2.4.21-9.0.3.EL.i686.rpm 58ef6536346d05530dea4d6553f22403 kernel-smp-unsupported-2.4.21-9.0.3.EL.i686.rpm 8803be23264421aaa299d55b8e534e9e kernel-unsupported-2.4.21-9.0.3.EL.i686.rpm d678cc5434f16bb05af6ca66cafdea05 ia64: kernel-2.4.21-9.0.3.EL.ia64.rpm cb457e3e0a0460153b3bfbe5c39ef260 kernel-doc-2.4.21-9.0.3.EL.ia64.rpm e5325b4988f0e75f185c1208749d1c62 kernel-source-2.4.21-9.0.3.EL.ia64.rpm 977e74c136ab7e8cb2de0af714478544 kernel-unsupported-2.4.21-9.0.3.EL.ia64.rpm b852fe340ebf22869bb1e02ce589aa0d ppc64: kernel-doc-2.4.21-9.0.3.EL.ppc64.rpm 528032788bee51dae3dcd354d2f8b73a kernel-source-2.4.21-9.0.3.EL.ppc64.rpm 7c2229ba9d9eafacb71bcc6e752f3a19 ppc64iseries: kernel-2.4.21-9.0.3.EL.ppc64iseries.rpm 97c5ecb52204e12156f7895edac7e064 kernel-unsupported-2.4.21-9.0.3.EL.ppc64iseries.rpm 83307f0d8628593d4f82e2d73c0056fc ppc64pseries: kernel-2.4.21-9.0.3.EL.ppc64pseries.rpm c823973a230c40ac9edd411897b7113d kernel-unsupported-2.4.21-9.0.3.EL.ppc64pseries.rpm 65c97716b999af8eab0e1f8e24b209d8 s390: kernel-2.4.21-9.0.3.EL.s390.rpm ae7e0719db784bb53d78caadb9a28f46 kernel-doc-2.4.21-9.0.3.EL.s390.rpm 1642932547b2719d36eca9b51d4825d6 kernel-source-2.4.21-9.0.3.EL.s390.rpm ae2f9d3424d123c7b3e0ba43d0031d81 kernel-unsupported-2.4.21-9.0.3.EL.s390.rpm d334ddf760fce749557602fb71b20fe7 s390x: kernel-2.4.21-9.0.3.EL.s390x.rpm 2e08a2aa7c25dc023f31f7028daf1dbb kernel-doc-2.4.21-9.0.3.EL.s390x.rpm f2d16837ef21af8e303a7694cfc50e73 kernel-source-2.4.21-9.0.3.EL.s390x.rpm 7383745e47cdd0e97d21d203df9a953e kernel-unsupported-2.4.21-9.0.3.EL.s390x.rpm abb43640b44870450af1f3b61a2d4b1e x86_64: kernel-2.4.21-9.0.3.EL.x86_64.rpm 4153e7472cbc9e57331d8bd6ab963374 kernel-doc-2.4.21-9.0.3.EL.x86_64.rpm b069533b3d6f1fc3aeba858a28dcfa1f kernel-smp-2.4.21-9.0.3.EL.x86_64.rpm 970369d2dfd7c9ea04d8073b7a8c9f3b kernel-smp-unsupported-2.4.21-9.0.3.EL.x86_64.rpm 07628c9fe1be29deeabd2192dfeffcfb kernel-source-2.4.21-9.0.3.EL.x86_64.rpm dc4d55f0619c476d947f39a6760dca10 kernel-unsupported-2.4.21-9.0.3.EL.x86_64.rpm b8d738cb4bc5240bb089b59622da1ff4 Red Hat Enterprise Linux ES (v. 3) ----------------------------------------------------------------------------- SRPMS: kernel-2.4.21-9.0.3.EL.src.rpm 75e184e496f05cd18eea12a94a45d992 athlon: kernel-2.4.21-9.0.3.EL.athlon.rpm 747381f00d4483d2b680d81a79ee87d0 kernel-smp-2.4.21-9.0.3.EL.athlon.rpm 4419e2bc38199f6e108c87c34c29c77f kernel-smp-unsupported-2.4.21-9.0.3.EL.athlon.rpm c40f0b228e80bd863eeba517a05909c8 kernel-unsupported-2.4.21-9.0.3.EL.athlon.rpm 5fef3bbf1605baaea07bd77ff96fff79 i386: kernel-BOOT-2.4.21-9.0.3.EL.i386.rpm 9d44d75032a22e1bafe070cbf83abea3 kernel-doc-2.4.21-9.0.3.EL.i386.rpm 090afc63ecd3b2dd68e76c25c428c0c3 kernel-source-2.4.21-9.0.3.EL.i386.rpm 52678a51fc609431df2d2c7ec3d66396 i686: kernel-2.4.21-9.0.3.EL.i686.rpm 0f0d28e815672056c265bc5d95a26b04 kernel-hugemem-2.4.21-9.0.3.EL.i686.rpm 15edf9ad36ad8ab7655025be9c68149b kernel-hugemem-unsupported-2.4.21-9.0.3.EL.i686.rpm be46b5651aea10e71f8ce5cd403e5597 kernel-smp-2.4.21-9.0.3.EL.i686.rpm 58ef6536346d05530dea4d6553f22403 kernel-smp-unsupported-2.4.21-9.0.3.EL.i686.rpm 8803be23264421aaa299d55b8e534e9e kernel-unsupported-2.4.21-9.0.3.EL.i686.rpm d678cc5434f16bb05af6ca66cafdea05 Red Hat Enterprise Linux WS (v. 3) ----------------------------------------------------------------------------- SRPMS: kernel-2.4.21-9.0.3.EL.src.rpm 75e184e496f05cd18eea12a94a45d992 athlon: kernel-2.4.21-9.0.3.EL.athlon.rpm 747381f00d4483d2b680d81a79ee87d0 kernel-smp-2.4.21-9.0.3.EL.athlon.rpm 4419e2bc38199f6e108c87c34c29c77f kernel-smp-unsupported-2.4.21-9.0.3.EL.athlon.rpm c40f0b228e80bd863eeba517a05909c8 kernel-unsupported-2.4.21-9.0.3.EL.athlon.rpm 5fef3bbf1605baaea07bd77ff96fff79 i386: kernel-BOOT-2.4.21-9.0.3.EL.i386.rpm 9d44d75032a22e1bafe070cbf83abea3 kernel-doc-2.4.21-9.0.3.EL.i386.rpm 090afc63ecd3b2dd68e76c25c428c0c3 kernel-source-2.4.21-9.0.3.EL.i386.rpm 52678a51fc609431df2d2c7ec3d66396 i686: kernel-2.4.21-9.0.3.EL.i686.rpm 0f0d28e815672056c265bc5d95a26b04 kernel-hugemem-2.4.21-9.0.3.EL.i686.rpm 15edf9ad36ad8ab7655025be9c68149b kernel-hugemem-unsupported-2.4.21-9.0.3.EL.i686.rpm be46b5651aea10e71f8ce5cd403e5597 kernel-smp-2.4.21-9.0.3.EL.i686.rpm 58ef6536346d05530dea4d6553f22403 kernel-smp-unsupported-2.4.21-9.0.3.EL.i686.rpm 8803be23264421aaa299d55b8e534e9e kernel-unsupported-2.4.21-9.0.3.EL.i686.rpm d678cc5434f16bb05af6ca66cafdea05 ia64: kernel-2.4.21-9.0.3.EL.ia64.rpm cb457e3e0a0460153b3bfbe5c39ef260 kernel-doc-2.4.21-9.0.3.EL.ia64.rpm e5325b4988f0e75f185c1208749d1c62 kernel-source-2.4.21-9.0.3.EL.ia64.rpm 977e74c136ab7e8cb2de0af714478544 kernel-unsupported-2.4.21-9.0.3.EL.ia64.rpm b852fe340ebf22869bb1e02ce589aa0d x86_64: kernel-2.4.21-9.0.3.EL.x86_64.rpm 4153e7472cbc9e57331d8bd6ab963374 kernel-doc-2.4.21-9.0.3.EL.x86_64.rpm b069533b3d6f1fc3aeba858a28dcfa1f kernel-smp-2.4.21-9.0.3.EL.x86_64.rpm 970369d2dfd7c9ea04d8073b7a8c9f3b kernel-smp-unsupported-2.4.21-9.0.3.EL.x86_64.rpm 07628c9fe1be29deeabd2192dfeffcfb kernel-source-2.4.21-9.0.3.EL.x86_64.rpm dc4d55f0619c476d947f39a6760dca10 kernel-unsupported-2.4.21-9.0.3.EL.x86_64.rpm b8d738cb4bc5240bb089b59622da1ff4 (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client with an updated certificate. The latest version of up2date is available from the Red Hat FTP site and may also be downloaded directly from the RHN website: https://rhn.redhat.com/help/latest-up2date.pxt Bugs fixed: (see bugzilla for more information) 120028 - CAN-2004-0109 kernel iso9660 buffer overflow 121314 - Linux kernel setsockopt MCAST_MSFILTER integer overflow References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0424 http://www.isec.pl/vulnerabilities/isec-0015-msfilter.txt http://www.idefense.com/application/poi/display?id=101 ----------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright © 2002 Red Hat, Inc. All rights reserved. [***** END RHSA-2004:183 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-116: Microsoft Cumulative Security Update for Outlook Express O-117: Microsoft Jet Database Engine Buffer Overrun O-118: HP OpenView Operations Remote Unauthorized Access O-119: HP Tru64 UNIX WU-FTPD Security Vulnerabilities O-120: HP Web Jetadmin Security Vulnerabilities O-121: Debian linux-kernel-2.4.17 and 2.4.18 Vulnerabilities O-122: Red Hat Updated OpenOffice Packages Fix Security Vulnearbility in Neon O-123: Debian 483-1 MySQL O-124: Cisco TCP Vulnerabilities in Multiple Cisco Products O-125: Cisco Vulnerabilities in SNMP Message Processing