Linux Kernel Broadcom 5820 Cryptonet Driver Integer Overflow Vulnerability

TITLE: Linux Kernel Broadcom 5820 Cryptonet Driver Integer Overflow Vulnerability
CLASS: Boundary Condition Error
CVE: CAN-2004-0619

REMOTE: No
LOCAL: Yes
PUBLISHED: Jun 23 2004 12:00AM
UPDATE: Jun 23 2004 12:00AM
CREDIT: Credit for discovery of this vulerability goes to infamous41md@hotpop.com
VULNERABLE:

RedHat Linux 8.0 i686
RedHat Linux 8.0 i386
RedHat Linux 8.0
RedHat kernel-source-2.4.20-8.i386.rpm
+ RedHat Linux 9.0 i386
RedHat kernel-smp-2.4.20-8.i686.rpm
+ RedHat Linux 9.0 i386
RedHat kernel-smp-2.4.20-8.i586.rpm
RedHat kernel-smp-2.4.20-8.athlon.rpm
+ RedHat Linux 9.0 i386
RedHat kernel-2.4.20-8.i686.rpm
+ RedHat Linux 9.0 i386
RedHat kernel-2.4.20-8.i586.rpm
+ RedHat Linux 9.0 i386
RedHat kernel-2.4.20-8.i386.rpm
RedHat kernel-2.4.20-8.athlon.rpm
+ RedHat Linux 9.0 i386
RedHat Fedora Core1
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 2.1 IA64
RedHat Enterprise Linux AS 2.1
RedHat Desktop 3.0
NOT VULNERABLE:

Vai alla pagina originale su Security Focus

Discussion

It is reported that the bcm5820 Linux kernel driver contains an integer overflow vulnerability.

The driver contains a function ubsec_ioctl() which is used to setup operating parameters for the driver. This function takes user-supplied data and copies it into kernel-space. When copying this data, a user-supplied length value is used in a calculation. This calculation could cause an integer overflow when allocating buffer space.

This vulnerability could lead to a system crash, or possible code execution in the context of the kernel.

This driver is not present in the vanilla Linux kernel, nor is it standard in most distributions of Linux. Redhat 8, with Linux kernel 2.4.20 is confirmed to include the vulnerable driver, but others are also potentially vulnerable.

Exploit

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

Solution

Solution:
Redhat has released advisory FEDORA-2004-206 for Fedora Core 1 addressing this issue. Please see the referenced advisory for further information.

RedHat Linux has released advisory RHSA-2004:549-10 to address this, and other issues in RedHat Enterprise Linux operating systems. Please see the referenced advisories for further information.

Red Hat released advisory RHSA-2005:283-15 as well as fixes to address this and other issues on Red Hat Linux Enterprise 2.1 platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisories for additional information.


RedHat Fedora Core1

References

References:

PhpLog

BNLug Benevento Linux Users Group