Vigil@nce: Linux kernel, altering ebtables
January 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
When Linux is used in Bridge mode, with an ebtables mode, a local
attacker can modify rules.
Severity: 2/4
Consequences: data flow
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 13/01/2010
IMPACTED PRODUCTS
– Linux kernel
– netfilter iptables
DESCRIPTION OF THE VULNERABILITY
When Linux is used in Bridge mode, the administrator can use the
ebtables firewall tool to define network rules.
The do_ebt_set_ctl() and do_ebt_get_ctl() functions of the
net/bridge/netfilter/ebtables.c file are used to change and read
information associated to these rules.
However, these functions do no check if the caller has the
CAP_NET_ADMIN capability.
A local unprivileged attacker can therefore alter ebtables rules.
CHARACTERISTICS
Identifiers: BID-37762, CVE-2010-0007, VIGILANCE-VUL-9345
http://vigilance.fr/vulnerability/Linux-kernel-altering-ebtables-9345