Vigil@nce: Linux kernel, unchecked capabilities
October 2009 by Vigil@nce
The kernel does not check some capabilities, which can be used by
a local attacker to do some privileged actions.
– Severity: 1/4
– Consequences: privileged access/rights
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Number of vulnerabilities in this bulletin: 4
– Creation date: 27/10/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
A process can have capabilities, in order to do privileged actions:
– CAP_SYS_BOOT : reboot the system
– CAP_NET_RAW : send packets
– CAP_SYS_ADMIN : administration
– etc.
However, some parts of the kernel do not check capabilities of the
calling process.
The cn_dst_callback() function of the drivers/staging/dst/dcore.c
file does not check if the user has the CAP_SYS_ADMIN capability.
[grav:1/4]
The cn_ulog_callback() function of the drivers/md/dm-log-userspace-transfer.c
file does not check if the user has the CAP_SYS_ADMIN capability.
[grav:1/4]
The uvesafb_cn_callback() function of the drivers/video/uvesafb.c
file does not check if the user has the CAP_SYS_ADMIN capability.
[grav:1/4]
The pohmelfs_cn_callback() function of the
drivers/staging/pohmelfs/config.c file does not check if the user
has the CAP_SYS_ADMIN capability. [grav:1/4]
A local attacker can therefore do some privileged actions.
CHARACTERISTICS
– Identifiers: VIGILANCE-VUL-9128
– Url: http://vigilance.fr/vulnerability/Linux-kernel-unchecked-capabilities-9128