1. /
  2. Security Response/
  3. Linux Kernel do_mremap Function Boundary Condition Vulnerability

Linux Kernel do_mremap Function Boundary Condition Vulnerability

Risk

High

Date Discovered

January 5, 2004

Description

A vulnerability involving the do_mremap system function has been reported in the Linux kernel, allowing for local privilege escalation. Due to a bounds checking issue within the function, it is possible for local attackers to disrupt the operation of the kernel. Attack vectors also exist that may permit a local attacker to gain root privileges. This type of vulnerability will permit a remote attacker who has gain limited privileges on a host to fully compromise the system.

Technologies Affected

  • Avaya Communication Manager Server S8300
  • Avaya Communication Manager Server S8500
  • Avaya Communication Manager Server S8700
  • Linux kernel 2.2.0
  • Linux kernel 2.2.1
  • Linux kernel 2.2.10
  • Linux kernel 2.2.11
  • Linux kernel 2.2.12
  • Linux kernel 2.2.13
  • Linux kernel 2.2.14
  • Linux kernel 2.2.15
  • Linux kernel 2.2.15 pre16
  • Linux kernel 2.2.15 pre20
  • Linux kernel 2.2.16
  • Linux kernel 2.2.16 pre6
  • Linux kernel 2.2.17
  • Linux kernel 2.2.18
  • Linux kernel 2.2.19
  • Linux kernel 2.2.2
  • Linux kernel 2.2.20
  • Linux kernel 2.2.21
  • Linux kernel 2.2.22
  • Linux kernel 2.2.23
  • Linux kernel 2.2.24
  • Linux kernel 2.2.25
  • Linux kernel 2.2.3
  • Linux kernel 2.2.4
  • Linux kernel 2.2.5
  • Linux kernel 2.2.6
  • Linux kernel 2.2.7
  • Linux kernel 2.2.8
  • Linux kernel 2.2.9
  • Linux kernel 2.4.0
  • Linux kernel 2.4.0 .0-test1
  • Linux kernel 2.4.0 .0-test10
  • Linux kernel 2.4.0 .0-test11
  • Linux kernel 2.4.0 .0-test12
  • Linux kernel 2.4.0 .0-test2
  • Linux kernel 2.4.0 .0-test3
  • Linux kernel 2.4.0 .0-test4
  • Linux kernel 2.4.0 .0-test5
  • Linux kernel 2.4.0 .0-test6
  • Linux kernel 2.4.0 .0-test7
  • Linux kernel 2.4.0 .0-test8
  • Linux kernel 2.4.0 .0-test9
  • Linux kernel 2.4.1
  • Linux kernel 2.4.10
  • Linux kernel 2.4.11
  • Linux kernel 2.4.12
  • Linux kernel 2.4.13
  • Linux kernel 2.4.14
  • Linux kernel 2.4.15
  • Linux kernel 2.4.16
  • Linux kernel 2.4.17
  • Linux kernel 2.4.18
  • Linux kernel 2.4.18 pre-1
  • Linux kernel 2.4.18 pre-2
  • Linux kernel 2.4.18 pre-3
  • Linux kernel 2.4.18 pre-4
  • Linux kernel 2.4.18 pre-5
  • Linux kernel 2.4.18 pre-6
  • Linux kernel 2.4.18 pre-7
  • Linux kernel 2.4.18 pre-8
  • Linux kernel 2.4.18 x86
  • Linux kernel 2.4.19
  • Linux kernel 2.4.19 -pre1
  • Linux kernel 2.4.19 -pre2
  • Linux kernel 2.4.19 -pre3
  • Linux kernel 2.4.19 -pre4
  • Linux kernel 2.4.19 -pre5
  • Linux kernel 2.4.19 -pre6
  • Linux kernel 2.4.2
  • Linux kernel 2.4.20
  • Linux kernel 2.4.21
  • Linux kernel 2.4.21 pre1
  • Linux kernel 2.4.21 pre4
  • Linux kernel 2.4.21 pre7
  • Linux kernel 2.4.22
  • Linux kernel 2.4.23
  • Linux kernel 2.4.3
  • Linux kernel 2.4.4
  • Linux kernel 2.4.5
  • Linux kernel 2.4.6
  • Linux kernel 2.4.7
  • Linux kernel 2.4.8
  • Linux kernel 2.4.9
  • Linux kernel 2.6.0
  • Linux kernel 2.6.0 -test1
  • Linux kernel 2.6.0 -test10
  • Linux kernel 2.6.0 -test11
  • Linux kernel 2.6.0 -test2
  • Linux kernel 2.6.0 -test3
  • Linux kernel 2.6.0 -test4
  • Linux kernel 2.6.0 -test5
  • Linux kernel 2.6.0 -test6
  • Linux kernel 2.6.0 -test7
  • Linux kernel 2.6.0 -test8
  • Linux kernel 2.6.0 -test9
  • Linux kernel 2.6.1 -rc1
  • SGI ProPack 2.4.0
  • SmoothWall Express 2.0.0
  • SmoothWall Express 2.0.0 beta
  • SmoothWall Express 2.0.0 beta6
  • Sun Cobalt RaQ 550
  • VMWare ESX Server 1.5.2
  • VMWare ESX Server 2.0.0
  • VMWare ESX Server 2.0.1
  • VMWare ESX Server 2.0.1 build 6403

Recommendations

Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.

Restrict local access to all but trustworthy users and those who explicitly require access to local services. This may limit an attacker's ability to successful exploit this issue.

Block external access at the network boundary, unless external parties require service.

Due to the high likelihood that this issue will be used in conjunction with unrelated remote vulnerabilities, it is advised that administrators ensure that network-based access controls are implemented to restrict access to remote services.

Implement multiple redundant layers of security.

An attacker's ability to exploit this condition to escalate privileges may be hampered through the use of memory protection schemes. If possible, implement the use of non-executable and randomly mapped memory paging, especially memory protection implementations that operate in kernel space.
Avaya has released an advisory to address this issue. Avaya recommends that customers contact their service representative, to upgrade to field load 220. Further information can be found in the advisory located at the following URI: http://support.avaya.com/japple/css/japple?temp.groupID=&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=158687&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate() Sun has released a fix to address this issue in the Sun Cobalt RaQ 550. The fix is linked below. Debian has released an advisory (DSA 423-1) that addresses the issue that is described in this BID for the IA-64 architecture. Further details regarding obtaining and applying fixes can be found in the referenced advisory. SmoothWall has released fixes to address this issue in SmoothWall Express 2.0. Users are advised to obtain the fixes through the SmoothWall interface. Please see the referenced web page (SWP-2004:001) for more information. Users may download the fixes1 patch by carrying out the following steps: Go to Maintenance -> Updates on your SmoothWall web interface, and upload the file called fixes1. Debian has released advisory DSA 413-1 to address this issue. Please see the attached advisory for details on obtaining and applying fixes. Red Hat has released advisory RHSA-2003:417-01 to address this issue. RHSA-2003:419-05 was also released to address Red Hat Enterprise distributions. An advisory (FEDORA-2003-046) was also released for Fedora distributions. See the referenced advisories for additional details. Guardian Digital has released advisory ESA-20040105-001 for EnGarde Secure Linux. Fixes included in this advisory may be applied with the Guardian Digital WebTool. Conectiva has released advisories CLA-2004:799 and CLSA-2004:804 to address this issue. Please see the attached advisories for details on obtaining and applying fixes. Trustix has released advisory TSLSA-2004-01 to address this issue. Please see the attached advisory for details on obtaining and applying fixes. Astaro Security Linux has released kernel updates to address this issue in Up2Date 4.018. SuSE has released security advisory SuSE-SA:2004:001 to address this issue. SuSE has also released security advisory SuSE-SA:2004:003 to address this issue for the 64bit kernel. An advisory (IMNX-2004-73-001-01) was released for Immunix Secured OS that includes fixes to address this issue. Please see the referenced advisory for details on obtaining and applying fixes. TurboLinux released an advisory (TLSA-2004-1) that includes fixes for this issue. Please see the attached reference for details on obtaining and applying fixes. This issue has been addressed in the 2.4.24 release of the Linux kernel. This issue has also been addressed in the 2.6 series as of the 2.6.1-rc2 release. Debian has issued fixes for the PowerPC and Alpha platforms. See advisory DSA 417-2 in the reference section. Slackware has released advisories SSA:2004-006-01 and SSA:2004-008-01 to address this issue. Mandrake has released advisory MDKSA-2004:001 to address this issue. Please see the attached advisory for details on obtaining and applying fixes. Gentoo has released advisory GLSA 200401-01 to address this issue. Please see the attached advisory for more details. Gentoo fixes can be applied by carrying out the following commands: emerge sync emerge -pv your-favorite-sources # IMPORTANT: IF YOUR KERNEL IS MARKED AS "Manual Update" THEN # THE PORTAGE MAY REPORT THAT YOU HAVE THE SAME KERNEL ON # YOUR SYSTEM. YOU SHOULD STILL UPDATE YOUR KERNEL! emerge your-favorite-sources # Follow usual procedures for compiling and installing a kernel. # If you use genkernel, run genkernel as you would do normally. SmoothWall has released alert SWP-2004:001 to address this issue. Debian has issued fixes for the mips/mipsel architectures. See advisory DSA-427-1 (in the reference section). SGI has released a security advisory 20040102-01-U including fixes to address this issue. Please see the attached advisory for more information. VMWare has released a fix to address this issue in VMWare ESX Server 2.0.1 build 6403. Please see the referenced web page for more information. Debian has released two advisories DSA-439-1 and DSA-440-1 to address this and other issues. Please see the referenced advisories for more information. Debian has released DSA 442-1 to provide fixes for s390 platforms. Please see the attached advisory for further information. Debian has released DSA 450-1 to provide MIPS kernel fixes. Please see the attached advisory for further details. SGI has released an advisory 20040204-01-U to address this and other issues in SGI ProPack 2.4. Please see the referenced advisory for more information. Debian has released DSA 470-1 to address this and other issues in the HP Precision architecture. Please see the referenced advisory for more information. VMWare advisory and fixes available for their ESX server package. Please see th reference section for more information. Debian has released advisory DSA 475-1 with fixes dealing with this and other issues for the HP Precision architecture.

Credits

Discovery is credited to Paul Starzetz and Wojciech Purczynski.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Threat Intelligence

Subscribe
Follow the Threat Intelligence Twitter feed
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver