Vigil@nce: Linux kernel, using SBNI
September 2008 by Vigil@nce
A local privileged attacker can use the SBNI driver even if he
does not have the CAP_NET_ADMIN capability.
– Gravity: 1/4
– Consequences: privileged access/rights
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: medium (2/3)
– Creation date: 29/08/2008
– Identifier: VIGILANCE-VUL-8073
IMPACTED PRODUCTS
– Linux kernel [confidential versions]
DESCRIPTION
The drivers/net/wan/sbni.c file implements the support of Granch
SBNI12 Leased Line network devices.
The sbni_ioctl() function handles various ioctls :
– SIOCDEVRESINSTATS : reset statistics
– SIOCDEVSHWSTATE : change hardware state
– SIOCDEVENSLAVE : create a slave
– SIOCDEVEMANSIPATE : emancipate a slave
Only the user with the euid 0 is allowed to use these ioctls.
However, if root does not have the CAP_NET_ADMIN capability
(unlikely) he should not be able to use these ioctls.
CHARACTERISTICS
– Identifiers: CVE-2008-3525, VIGILANCE-VUL-8073
– Url: https://vigilance.aql.fr/tree/1/8073