Linux Kernel do_mremap Function Boundary Condition Vulnerability

Risk
High

Date Discovered
01-05-2004

Description
A vulnerability involving the do_mremap system function has been reported in the Linux kernel, allowing for local privilege escalation. Due to a bounds checking issue within the function, it is possible for local attackers to disrupt the operation of the kernel. Attack vectors also exist that may permit a local attacker to gain root privileges.

This type of vulnerability will permit a remote attacker who has gain limited privileges on a host to fully compromise the system.

Platforms Affected
Astaro Security Linux 2.0 16
Astaro Security Linux 2.0 23
Caldera OpenLinux 2.3
Caldera OpenLinux 2.4
Caldera OpenLinux Server 3.1
Caldera OpenLinux Server 3.1.1
Caldera OpenLinux Workstation 3.1
Caldera OpenLinux Workstation 3.1.1
Conectiva Linux ecommerce
Conectiva Linux graficas
Conectiva Linux 4.0
Conectiva Linux 4.0 es
Conectiva Linux 4.1
Conectiva Linux 4.2
Conectiva Linux 5.0
Conectiva Linux 5.1
Conectiva Linux 6.0
Conectiva Linux 7.0
Conectiva Linux 8.0
Conectiva Linux 9.0
Conectiva Linux Enterprise Edition 1.0
CRUX CRUX Linux 1.0
Debian Linux 2.2
Debian Linux 2.2 68k
Debian Linux 2.2 alpha
Debian Linux 2.2 arm
Debian Linux 2.2 powerpc
Debian Linux 2.2 sparc
Debian Linux 3.0 alpha
Debian Linux 3.0 arm
Debian Linux 3.0 hppa
Debian Linux 3.0 ia-32
Debian Linux 3.0 ia-64
Debian Linux 3.0 m68k
Debian Linux 3.0 mips
Debian Linux 3.0 mipsel
Debian Linux 3.0 ppc
Debian Linux 3.0 s/390
Debian Linux 3.0 sparc
EnGarde Secure Linux 1.0.1
Gentoo Linux 1.2
MandrakeSoft Corporate Server 1.0.1
MandrakeSoft Linux Mandrake 6.0
MandrakeSoft Linux Mandrake 6.1
MandrakeSoft Linux Mandrake 7.0
MandrakeSoft Linux Mandrake 7.1
MandrakeSoft Linux Mandrake 7.2
MandrakeSoft Linux Mandrake 8.0
MandrakeSoft Linux Mandrake 8.0 ppc
MandrakeSoft Linux Mandrake 8.1
MandrakeSoft Linux Mandrake 8.2
MandrakeSoft Linux Mandrake 8.2 ppc
MandrakeSoft Linux Mandrake 9.0
MandrakeSoft Linux Mandrake 9.1
MandrakeSoft Linux Mandrake 9.1 ppc
MandrakeSoft Single Network Firewall 7.2
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Enterprise Linux AS 2.1
RedHat Enterprise Linux AS 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux WS 2.1 IA64
RedHat Fedora Core1
RedHat Linux 6.0
RedHat Linux 6.0 alpha
RedHat Linux 6.0 sparc
RedHat Linux 6.1 alpha
RedHat Linux 6.1 i386
RedHat Linux 6.1 sparc
RedHat Linux 6.2
RedHat Linux 6.2 alpha
RedHat Linux 6.2 i386
RedHat Linux 6.2 sparc
RedHat Linux 7.0
RedHat Linux 7.0 alpha
RedHat Linux 7.0 i386
RedHat Linux 7.0 sparc
RedHat Linux 7.1 alpha
RedHat Linux 7.1 i386
RedHat Linux 7.1 ia64
RedHat Linux 7.2
RedHat Linux 7.2 alpha
RedHat Linux 7.2 i386
RedHat Linux 7.2 ia64
RedHat Linux 7.3
RedHat Linux 8.0
RedHat Linux 9.0 i386
S.u.S.E. Linux 6.0
S.u.S.E. Linux 6.1
S.u.S.E. Linux 6.1 alpha
S.u.S.E. Linux 6.3
S.u.S.E. Linux 6.3 alpha
S.u.S.E. Linux 6.3 ppc
S.u.S.E. Linux 6.4
S.u.S.E. Linux 6.4 alpha
S.u.S.E. Linux 6.4 ppc
S.u.S.E. Linux 7.0
S.u.S.E. Linux 7.1
S.u.S.E. Linux 7.2
S.u.S.E. Linux 7.3
S.u.S.E. Linux 8.0
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.2
S.u.S.E. Linux Connectivity Server
S.u.S.E. Linux Database Server
S.u.S.E. Linux Enterprise Server 7
S.u.S.E. Linux Enterprise Server 8
S.u.S.E. Linux Firewall on CD
S.u.S.E. Linux Office Server
S.u.S.E. Linux Openexchange Server
S.u.S.E. SuSE eMail Server 3.1
S.u.S.E. SuSE eMail Server III
SCO eDesktop 2.4
SCO eServer 2.3.1
Slackware Linux -current
Slackware Linux 4.0
Slackware Linux 7.0
Slackware Linux 7.1
Slackware Linux 8.0
Slackware Linux 9.0
Slackware Linux 9.1
Sun Cobalt Qube 3
Sun Cobalt RaQ 4
Sun Cobalt RaQ 550
Sun Cobalt RaQ XTR
Sun Linux 5.0
Sun Linux 5.0.3
Sun Linux 5.0.5
Trustix Secure Linux 1.1
Trustix Secure Linux 1.2
Trustix Secure Linux 1.5
Trustix Secure Linux 2.0
Turbolinux Turbolinux Server 7.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Workstation 8.0
Wirex Immunix OS 6.2
Wirex Immunix OS 7.0
Wirex Immunix OS 7.0 -Beta
WOLK WOLK 4.4 s

Components Affected
Linux kernel 2.2
Linux kernel 2.2.1
Linux kernel 2.2.2
Linux kernel 2.2.3
Linux kernel 2.2.4
Linux kernel 2.2.5
Linux kernel 2.2.6
Linux kernel 2.2.7
Linux kernel 2.2.8
Linux kernel 2.2.9
Linux kernel 2.2.10
Linux kernel 2.2.11
Linux kernel 2.2.12
Linux kernel 2.2.13
Linux kernel 2.2.14
Linux kernel 2.2.15 pre20
Linux kernel 2.2.15 pre16
Linux kernel 2.2.15
Linux kernel 2.2.16 pre6
Linux kernel 2.2.16
Linux kernel 2.2.17
Linux kernel 2.2.18
Linux kernel 2.2.19
Linux kernel 2.2.20
Linux kernel 2.2.21
Linux kernel 2.2.22
Linux kernel 2.2.23
Linux kernel 2.2.24
Linux kernel 2.2.25
Linux kernel 2.4 .0-test9
Linux kernel 2.4 .0-test8
Linux kernel 2.4 .0-test7
Linux kernel 2.4 .0-test6
Linux kernel 2.4 .0-test5
Linux kernel 2.4 .0-test4
Linux kernel 2.4 .0-test3
Linux kernel 2.4 .0-test2
Linux kernel 2.4 .0-test12
Linux kernel 2.4 .0-test11
Linux kernel 2.4 .0-test10
Linux kernel 2.4 .0-test1
Linux kernel 2.4
Linux kernel 2.4.1
Linux kernel 2.4.2
Linux kernel 2.4.3
Linux kernel 2.4.4
Linux kernel 2.4.5
Linux kernel 2.4.6
Linux kernel 2.4.7
Linux kernel 2.4.8
Linux kernel 2.4.9
Linux kernel 2.4.10
Linux kernel 2.4.11
Linux kernel 2.4.12
Linux kernel 2.4.13
Linux kernel 2.4.14
Linux kernel 2.4.15
Linux kernel 2.4.16
Linux kernel 2.4.17
Linux kernel 2.4.18 pre-8
Linux kernel 2.4.18 pre-7
Linux kernel 2.4.18 pre-6
Linux kernel 2.4.18 pre-5
Linux kernel 2.4.18 pre-4
Linux kernel 2.4.18 pre-3
Linux kernel 2.4.18 pre-2
Linux kernel 2.4.18 pre-1
Linux kernel 2.4.18 x86
Linux kernel 2.4.18
Linux kernel 2.4.19 -pre6
Linux kernel 2.4.19 -pre5
Linux kernel 2.4.19 -pre4
Linux kernel 2.4.19 -pre3
Linux kernel 2.4.19 -pre2
Linux kernel 2.4.19 -pre1
Linux kernel 2.4.19
Linux kernel 2.4.20
Linux kernel 2.4.21 pre7
Linux kernel 2.4.21 pre4
Linux kernel 2.4.21 pre1
Linux kernel 2.4.21
Linux kernel 2.4.22
Linux kernel 2.4.23
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test5
Linux kernel 2.6 -test4
Linux kernel 2.6 -test3
Linux kernel 2.6 -test2
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.6 -test1
Linux kernel 2.6

Recommendations
Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
Restrict local access to all but trustworthy users and those who explicitly require access to local services. This may limit an attacker's ability to successful exploit this issue.

Block external access at the network boundary, unless service is required by external parties.
Due to the high likelihood that this issue will be used in conjunction with unrelated remote vulnerabilities, it is advised that administrators ensure that network-based access controls are implemented to restrict access to remote services.

Implement multiple redundant layers of security.
An attacker's ability to exploit this condition to escalate privileges may be hampered through the use of memory protection schemes. If possible, implement the use of non-executable and randomly mapped memory paging, especially memory protection implementations that operate in kernel space.

Red Hat has released advisory RHSA-2003:417-01 to address this issue. RHSA-2003:419-05 was also released to address Red Hat Enterprise distributions. See the referenced advisories for additional details.

Guardian Digital has released advisory ESA-20040105-001 for EnGarde Secure Linux. Fixes included in this advisory may be applied with the Guardian Digital WebTool.

Conectiva has released advisory CLA-2004:799 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Trustix has released advisory TSLSA-2004-01 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Astaro Security Linux has released kernel updates to address this issue in Up2Date 4.018.

SuSE has released security advisory SuSE-SA:2004:001 to address this issue.

This issue has been addressed in the 2.4.24 release of the Linux kernel.

Linux kernel 2.2:
Linux kernel 2.2.1:
Linux kernel 2.2.2:
Linux kernel 2.2.3:
Linux kernel 2.2.4:
Linux kernel 2.2.5:
Linux kernel 2.2.6:
Linux kernel 2.2.7:
Linux kernel 2.2.8:
Linux kernel 2.2.9:
Linux kernel 2.2.10:
Linux kernel 2.2.11:
Linux kernel 2.2.12:
Linux kernel 2.2.13:
Linux kernel 2.2.14:
Linux kernel 2.2.15 pre20:
Linux kernel 2.2.15 pre16:
Linux kernel 2.2.15:
Linux kernel 2.2.16 pre6:
Linux kernel 2.2.16:
Linux kernel 2.2.17:
Linux kernel 2.2.18:
Linux kernel 2.2.19:
Linux kernel 2.2.20:
Linux kernel 2.2.21:
Linux kernel 2.2.22:
Linux kernel 2.2.23:
Linux kernel 2.2.24:
Linux kernel 2.2.25:
Linux kernel 2.4 .0-test9:

Linux kernel 2.4 .0-test8:

Linux kernel 2.4 .0-test7:

Linux kernel 2.4 .0-test6:

Linux kernel 2.4 .0-test5:

Linux kernel 2.4 .0-test4:

Linux kernel 2.4 .0-test3:

Linux kernel 2.4 .0-test2:

Linux kernel 2.4 .0-test12:

Linux kernel 2.4 .0-test11:

Linux kernel 2.4 .0-test10:

Linux kernel 2.4 .0-test1:

Linux kernel 2.4:

Linux kernel 2.4.1:

Linux kernel 2.4.2:

Linux kernel 2.4.3:

Linux kernel 2.4.4:

Linux kernel 2.4.5:

Linux kernel 2.4.6:

Linux kernel 2.4.7:

Linux kernel 2.4.8:

Linux kernel 2.4.9:

Linux kernel 2.4.10:

Linux kernel 2.4.11:

Linux kernel 2.4.12:

Linux kernel 2.4.13:

Linux kernel 2.4.14:

Linux kernel 2.4.15:

Linux kernel 2.4.16:

Linux kernel 2.4.17:

Linux kernel 2.4.18 pre-8:

Linux kernel 2.4.18 pre-7:

Linux kernel 2.4.18 pre-6:

Linux kernel 2.4.18 pre-5:

Linux kernel 2.4.18 pre-4:

Linux kernel 2.4.18 pre-3:

Linux kernel 2.4.18 pre-2:

Linux kernel 2.4.18 pre-1:

Linux kernel 2.4.18 x86:

Linux kernel 2.4.18:

Linux kernel 2.4.19 -pre6:

Linux kernel 2.4.19 -pre5:

Linux kernel 2.4.19 -pre4:

Linux kernel 2.4.19 -pre3:

Linux kernel 2.4.19 -pre2:

Linux kernel 2.4.19 -pre1:

Linux kernel 2.4.19:

Linux kernel 2.4.20:

Linux kernel 2.4.21 pre7:

Linux kernel 2.4.21 pre4:

Linux kernel 2.4.21 pre1:

Linux kernel 2.4.21:

Linux kernel 2.4.22:

Linux kernel 2.4.23:

Linux kernel 2.6 -test9:
Linux kernel 2.6 -test8:
Linux kernel 2.6 -test7:
Linux kernel 2.6 -test6:
Linux kernel 2.6 -test5:
Linux kernel 2.6 -test4:
Linux kernel 2.6 -test3:
Linux kernel 2.6 -test2:
Linux kernel 2.6 -test11:
Linux kernel 2.6 -test10:
Linux kernel 2.6 -test1:
Linux kernel 2.6:

References
Source: Conectiva CLA-2004:799 kernel
URL: http://online.securityfocus.com/advisories/6197

Source: EnGarde ESA-20040105-001 kernel
URL: http://online.securityfocus.com/advisories/6196

Source: RedHat RHSA-2003:417-01 Updated kernel resolves security vulnerability
URL: http://online.securityfocus.com/advisories/6195

Source: SuSE SuSE-SA:2004:001 Linux Kernel
URL: http://online.securityfocus.com/advisories/6200

Source: Trustix TSLSA-2004-01 kernel
URL: http://online.securityfocus.com/advisories/6198

Source: RHSA-2003:419-05 Updated kernel packages resolve security vulnerability
URL: http://rhn.redhat.com/errata/RHSA-2003-419.html

Source: Up2Date 4.018
URL: http://www.astaro.org/showflat.php?Cat=&Number=34176&page=0&view=collapsed&sb=5&o=&fpart=1

Credits
Discovery is credited to Paul Starzetz and Wojciech Purczynski.

Copyright (c) 2004 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.