| |||||||||||||
|
| |||||||||||||
Stable kernels 2.6.31.6 and 2.6.27.39 releasedStable kernels 2.6.31.6 and 2.6.27.39 releasedPosted Nov 10, 2009 6:56 UTC (Tue) by lkundrak (subscriber, #43452)Parent article: Stable kernels 2.6.31.6 and 2.6.27.39 released
So, are NULL dereferences in kernel still considered vulnerabilities? I may sound uninformed, but I thought most of them are mitigated either by SELinux policies or vm.mmap_min_addr syctl.
(Log in to post comments)
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 7:28 UTC (Tue) by MisterIO (guest, #36192) [Link]
Many distributions leave the possibility to map address 0, mostly because of Wine, it seems.
About SELinux, actually at least one time it seems to have helped the attacker.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 10:25 UTC (Tue) by lkundrak (subscriber, #43452) [Link]
That SELinux problem is already considered fixed isn't it?
Looking at any reasonably modern linux distribution reveals that they exchanged win16 application support for sane mmap_min_addr setting, therefore leaving most potential security problems in past (unlikely(were a function called from pointer gotten from NULL pointer to a structure that's > 4096 bytes at least Fedora would still be vulnerable without SELinux)).
And when it comes to older distributions the issue got so much publicity I can't really believe there's anyone with untrusted local users that would still not have shielded himself from kernel NULL dereferences via known techniques.
I'd bet that there are more such issues coming, is it really that necessary to inflate the meaning of "security vulnerability" term?
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 12:25 UTC (Tue) by spender (subscriber, #23067) [Link]
The SELinux problem was fixed upstream and in
Fedora when I released the last exploit. Seven public exploits however still was not enough for RHEL to fix their vulnerable default configuration. It took the release of the pipe exploit for them to finally fix it in their kernels last Friday.
As for whether people still run with
So certainly, they are still security vulnerabilities,
-Brad
-Brad
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 13:00 UTC (Tue) by spender (subscriber, #23067) [Link]
BTW, you need to throw out your entire conception of "untrusted local users." If you run a webserver with php scripts on it and no "untrusted local users" -- there's a good chance at some point the machine will have one (or more), via webapp exploits. The mindset of "I don't have any untrusted local users on this machine so I don't need to upgrade" is what gets people bit by these vulnerabilities.
And just to emphasize an earlier point, if mmap_min_addr and SELinux were written correctly back in 2007 when mmap_min_addr was introduced in response to my first exploit, the bug class would largely be a non-issue right now.
But mmap_min_addr has had 5 or so bypasses since its inclusion, and the SELinux problem was only just fixed in RHEL5 last Friday (as I mentioned already, it was fixed two months or so ago in Fedora) so it's really almost the case that anyone who doesn't have *very* recent _kernels_ is vulnerable.
If we were to talk about "reasonably modern" Linux distributions, RHEL 5.3 is vuln out of the box, RHEL 5.4 is vuln out of the box, Ubuntu 9.04 is vuln out of the box, FC11 is vuln out of the box, that SuSE 10 SP3 just released last month is vuln out of the box.
Ubuntu 9.10 is fine (modulo any toggling from wine), FC12 is fine (I think), and SuSE 11 is fine.
-Brad
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 15:37 UTC (Tue) by nix (subscriber, #2304) [Link]
Technically the people with webservers with php scripts on don't have untrusted local users, they have *malicious* local users that they don't even know are there (as soon as an attacker gets in at all). This is of course worse, because as you suggest they'll often have thought 'ooh, I trust all the local users', which is poppycock.
It's like a filter making sure that everyone who manages to become a local user has larceny in his heart...
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 11:00 UTC (Tue) by nye (guest, #51576) [Link]
>Many distributions leave the possibility to map address 0, mostly because of Wine, it seems.
Which (assuming it's true), is fairly silly. Wine only needs it to run DOS binaries (apparently it used to need it to run some or all win16 binaries, but it hasn't done for years), but it's always been really bad at that anyway, and better methods exist (notably Dosbox).
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 11:16 UTC (Tue) by epa (subscriber, #39769) [Link]
Does dosemu need to map address 0?
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 12:43 UTC (Tue) by nye (guest, #51576) [Link]
I would imagine so, though I've not used it in eight or nine years so couldn't really say...
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 13:01 UTC (Tue) by Cyberax (subscriber, #52523) [Link]
Dosemu needs it, dosbox doesn't.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 16:24 UTC (Tue) by meuh (subscriber, #22042) [Link]
Even for win16 binaries, Wine doesn't need page 0 anymore.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 11, 2009 10:41 UTC (Wed) by nye (guest, #51576) [Link]
That's what I said :P.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 11:15 UTC (Tue) by epa (subscriber, #39769) [Link]
I suggest that it should be considered a vulnerability if it's a vulnerability in any possible configuration. Consider a bug in some obscure device driver that about three people use. If it's exploitable, it should count as a vulnerability, though perhaps not the most serious one. The number of people who run with SELinux turned off is greater than three.
|
|
||||||||||||