For info... Since many of us here are interested in multicast, it's slightly relevant :-)
>=========================================================================== > AUSCERT External Security Bulletin Redistribution > > ESB-2004.0812 -- Linux kernel IGMP vulnerabilities > 22 December 2004 > >=========================================================================== > > AusCERT Security Bulletin Summary > --------------------------------- > >Product: Linux kernel 2.4 version 2.4.28 and prior > Linux kernel 2.6 version 2.6.9 and prior >Operating System: Linux variants >Impact: Root Compromise > Access Confidential Data > Denial of Service >Access: Existing Account > Remote/Unauthenticated >CVE Names: CAN-2004-1137 > >- --------------------------BEGIN INCLUDED TEXT-------------------- > >PROBLEM: > > Two vulnerabilities in the IGMP (Internet Group Management Protocol) > code in the Linux kernel allow local privillege elevation and remote > denial of service under conditions described below. > > 1. The ip_mc_source() function is part of the user API for IGMP. Due to > an incorrectly validated parameter, a program running as an > unprivelleged user is able to overwrite kernel memory. > > 2. When an IGMP group query packet is accepted from the network, its > contents are not validated properly, allowing a malformed packet to > cause remote denial of service. > > >VERSIONS: > > 2.6 kernel versions 2.6.9 and prior are vulnerable. > 2.4 kernel versions 2.4.28 and prior are also vulnerable. > 2.2.x kernels are not vulnerable. > > >IMPACT: > > 1. On SMP systems, this vulnerability allows executing arbitrary code > in kernel mode, allowing root compromise. > > On non-SMP systems this is most likely not possible, so the impact > is limited to local denial of service. > > This vulnerability in conjunction with the ip_mc_?sfget() functions > also allows reading of blocks of kernel memory, which may contain > sensitive information such as passwords. > > 2. The second vulnerability allows remote denial of service, if some > application on the system is using a multicast socket. > If the files /proc/net/igmp and /proc/net/mcfilter both exist and > are non-empty, then the system is vulnerable to this second > vulnerability. > > More information is available in the original advisory. [1] > > >MITIGATION: > > No official patch is yet available for this vulnerability. > > Until a patch is available, AusCERT recommends that system > administrators restrict logon access to vulnerable systems, and > consider adding a firewall rule to block inbound IGMP packets > (IP protocol number 2). > > >REFERENCES: > > [1] Linux kernel IGMP vulnerabilities > http://isec.pl/vulnerabilities/isec-0018-igmp.txt Markus Buchhorn, ANU Internet Futures |Ph: +61 2 61258810 markus.buchh...@anu.edu.au |Fx: +61 2 61259805 The Australian National University, Canberra 0200 |Mob: 0417 281429
