Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201404231627.s3NGRpBS011729@linus.mitre.org>
Date: Wed, 23 Apr 2014 12:27:51 -0400 (EDT)
From: cve-assign@...re.org
To: luto@...capital.net
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE-2014-0181: Linux network reconfiguration due to incorrect netlink checks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> It is possible to reconfigure the network on Linux by calling write(2)
> on an appropriately connected netlink socket. By passing such a
> socket as stdout or stderr to a setuid program, anyone can reconfigure
> the network.


> http://marc.info/?l=linux-netdev&m=139820127225921&w=2

> Andy Lutomirski when looking at the networking stack noticed that it is
> possible to trick privileged processes into calling write on a netlink
> socket and send netlink messages they did not intend.
> 
> In particular from time to time there are suid applications that will
> write to stdout or stderr without checking exactly what kind of file
> descriptors those are and can be tricked into acting as a limited form
> of suid cat. In other conversations the magic string CVE-2014-0818 has
> been used to talk about this issue.

First, CVE-2014-0818 is not the correct CVE ID. CVE-2014-0818 is
associated only with a vulnerability in AutoCAD. A CVE ID of
CVE-2014-0181 was in the Subject line.

Also, there are two messages that discuss apparently distinct types of
security issues, suggesting that two or more CVE IDs may be needed:

http://marc.info/?l=linux-netdev&m=139820138225967&w=2
  "The caller needs capabilities on the namespace being queried, not
  on their own namespace. This is a security bug, although it likely
  has only a minor impact." (The patch is in the packet_diag_dump
  function in net/packet/diag.c, but the issue originally was in the
  sock_diag_put_filterinfo function in net/core/sock_diag.c.)

http://marc.info/?l=linux-netdev&m=139820147526004&w=2
  "verify that the opener of the socket had the desired permissions as
  well"

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTV+jvAAoJEKllVAevmvmsR6oH/0AlC8kHSHbG1bMA8LR1zuGi
dql/ePdiy0xZCaXK/2qjKmwF+F6DwYukmLqZsnpxhKPZImjTnTsK/Ij7fxID6sH2
b8YfB3H9ZmTjsh6q1SKXcj+vXphORktcrL0KjpgfGRQGexEa95o+1j0Vlrpk+Jdt
+g6RWUrVRFanBF+zE3DNSPI4Pza4BB+XoOrjEAVfp1AmizbObzaazY+UOQKZDi6m
FzmjErQtqViG0YMV7h8b1ktHF8+RjVT2cvFCPYs4Gmae7WOXiPxN+dngkvtJGQg7
1nH2jQOd6FhIN4HWLiL1xSTlst3bATxntC6aOPyx+KnFxQIomCMocS/6UecRWbI=
=XHpW
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.