Bug 612166 (CVE-2010-2524) - CVE-2010-2524 kernel: dns_resolver upcall security issue
Summary: CVE-2010-2524 kernel: dns_resolver upcall security issue
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-2524
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 612136 612168 612169 612170 612171
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-07 13:20 UTC by Eugene Teo (Security Response)
Modified: 2019-09-29 12:37 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-28 08:43:32 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0610 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-08-10 18:01:15 UTC

Description Eugene Teo (Security Response) 2010-07-07 13:20:21 UTC
Description of problem:
CIFS has the ability to chase MS-DFS referrals. In order to do this it has to be able to resolve hostnames into IP addresses. For this, it uses the keys API to upcall to the cifs.upcall userspace helper. It then resolves the name and hands the address back to the kernel.

The dns_resolver upcall currently used by CIFS is susceptible to cache stuffing. It's possible for a malicious user to stuff the keyring with the results of a lookup, and then trick the server into mounting a server of his choosing.

Comment 4 Eugene Teo (Security Response) 2010-07-08 02:05:47 UTC
Statement:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG as they did not include support for the upcall mechanism for the Common Internet File System (CIFS). This issue was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0723.html.

Comment 10 Eugene Teo (Security Response) 2010-08-02 03:41:20 UTC
Upstream commit:
http://git.kernel.org/linus/4c0c03ca54f72fdd5912516ad0a23ec5cf01bda7

Comment 11 Chuck Ebbert 2010-08-02 21:15:41 UTC
Fixed upstream in 2.6.35, 2.6.34.2, 2.6.33.7 and 2.6.32.17

Comment 12 Fedora Update System 2010-08-03 00:58:47 UTC
kernel-2.6.32.16-150.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2010-08-03 01:10:55 UTC
kernel-2.6.33.6-147.2.4.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Eugene Teo (Security Response) 2010-08-03 03:52:25 UTC
Introduced via commit 6103335de8afa5d780dcd512abe85c696af7b040 (2.6.25-rc1).

Comment 15 errata-xmlrpc 2010-08-10 18:01:54 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0610 https://rhn.redhat.com/errata/RHSA-2010-0610.html


Note You need to log in before you can comment on or make changes to this bug.