-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ Caldera Systems, Inc. Security Advisory Subject: Kernel Security Problems Advisory number: CSSA-1999:032.0 Issue date: 1999 October, 21 Cross reference: ______________________________________________________________________________ 1. Problem Description The Linux kernel as shipped with Caldera OpenLinux 2.3 has two definitive security problems, and one possible problem. I. TCP Spoofing Problem Several applications, in particular rlogin and rsh, can be configured to trust network connections from particular hosts. When an attacker wants to fool a server into believing he is trusted host A, he needs to send packets with a fake (aka spoofed) source network address. In addition to this, he needs to guess what is called the initial TCP sequence number (ISN), which is used in the three-way handshake that occurs when a TCP connection is established. The TCP implementation of the Linux 2.2 kernel had a weakness that allowed an attacker to guess this initial sequence number. This problem has been corrected in the official 2.2.12 kernel. The patch has been back ported to 2.2.10 and is included in this update. II. Packet Injection Problem The SLIP and PPP protocols used to transmit network traffic over serial lines (e.g. modems) are implemented using a so-called line discipline. Changing the line discipline of a serial device effectively turns it from a (character-based) terminal device into a network device. The kernel failed to check whether the caller had proper permissions when asked to change the line discipline to PPP or SLIP. This allows an intruder to inject arbitrary IP packets under certain circumstances. This problem has been corrected in the official 2.2.13 kernel. The patch has been back ported to 2.2.10 and is included in this update. III. Possible Argument Vector Corruption When a process executes another program, it passes it an array of string pointers containing the list of arguments. The kernel code that deals with copying these argument to the address space of the invoked program failed to check for certain conditions, which could lead to the invoked program crashing with a segmentation fault. This problem does not appear to affect security. However, if somebody should find an exploit for it, the impact of this problem would be tremendous. We therefore include this patch as a matter of caution. This problem has been corrected in the official 2.2.13 kernel. The patch has been back ported to 2.2.10 and is included in this update. IV. Acknowledgements: Caldera wishes to thank S. Krahmer and Stealth for their investigation of the TCP spoofing problem, and Alex Kuznetsiov for his patch. Caldera wishes to thank Marc Schaefer for his investigation of the line discipline problem. 2. Vulnerable Versions Systems : COL 2.2, COL 2.3 Packages: previous to linux-2.2.10-9 3. Solutions The proper solution is to upgrade to the latest packages rpm -U linux-kernel-binary-2.2.10-9.i386.rpm rpm -U linux-kernel-include-2.2.10-9.i386.rpm rpm -U linux-kernel-doc-2.2.10-9.i386.rpm 4. Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/OpenLinux/updates/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderaystems.com/pub/OpenLinux/updates/2.3/current/SRPMS/ 5. Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -U linux-kernel-binary-2.2.10-9.i386.rpm rpm -U linux-kernel-include-2.2.10-9.i386.rpm rpm -U linux-kernel-doc-2.2.10-9.i386.rpm Same for all needed linux-source packages 6. Verification 4e214bfbeb677b97651db19b82504614 linux-kernel-binary-2.2.10-9.i386.rpm c5e8deb65de545f5a69d8fd2dd52e09f linux-kernel-doc-2.2.10-9.i386.rpm 45e836965f3067327a85b5204037ba8e linux-kernel-include-2.2.10-9.i386.rpm b5c8544f207a5bdc5cc8257365b43014 linux-source-alpha-2.2.10-9.i386.rpm a7b432171757e0f16526d066c40cf7f5 linux-source-arm-2.2.10-9.i386.rpm 90502fd53633f9edbb99d15c4d9647d6 linux-source-common-2.2.10-9.i386.rpm fe8c40e5eba3892bfa81f5a866d37950 linux-source-i386-2.2.10-9.i386.rpm 5f5e03a455e008241bd322876d35927d linux-source-m68k-2.2.10-9.i386.rpm 050e37d84eeaa7bb2d60d4f52f8d36fe linux-source-mips-2.2.10-9.i386.rpm ff39137d04d111fe5b1475b9034f9299 linux-source-ppc-2.2.10-9.i386.rpm fe2d46854e43c4515e9007c7d1067df0 linux-source-sparc-2.2.10-9.i386.rpm ecc011eb0fcf1c1679ab6207175e6a16 linux-source-sparc64-2.2.10-9.i386.rpm 821e29ce2632c0424e9195904bd045a1 linux-2.2.10-9.src.rpm 7. References This and other Caldera security resources are located at: http://www.calderasystems.com/support/security/index.html This security fix closes Caldera's internal Problem Reports 5163 and 5194. 8. Disclaimer Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBODAofOn+9R4958LpAQFxaQP+McbZmqr2ncz9CJp8fZnYgq00doaUodbL I2Ix/I+lepni3CZXMIsDTZSRmppZy1WJ0f00xyKyd8ZUoHEb4AnkpZ0XoO6sKsiB Nkfi/gws4kcpAcUP69v/FTTTKF4yTaZDXTfzVo1s5pUlaSFnKRtzEgOEKwCPfYg8 nnr06lFpWTM= =afxk -----END PGP SIGNATURE-----