Freely subscribe to our NEWSLETTER

SYNTHESIS OF THE VULNERABILITY

A local attacker can use two udev vulnerabilities in order to
execute code with kernel privileges.

Severity: 2/4

Consequences: administrator access/rights

Provenance: user shell

Means of attack: 1 attack

Ability of attacker: technician (2/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Number of vulnerabilities in this bulletin: 2

Creation date: 16/04/2009

Revision date: 20/04/2009

IMPACTED PRODUCTS

– Debian Linux
– Fedora
– Linux kernel
– OpenSUSE
– Red Hat Enterprise Linux
– Slackware Linux
– SUSE Linux Enterprise Server

DESCRIPTION OF THE VULNERABILITY

The 2.6 kernel uses udev to manage /dev and hotplug devices. It is
impacted by two vulnerabilities.

The NETLINK_KOBJECT_UEVENT message is sent on a PF_NETLINK socket
by the kernel to an user space process. However, udev does not
check if this message comes from the kernel space. It then accepts
the associated action, such as creating a device. A local attacker
can therefore obtain the root privilege. [grav:2/4; 495051,
BID-34536, CVE-2009-1185]

The util_path_encode() function of the udev/lib/libudev-util.c
file converts special characters to "\xXX" where XX is the
hexadecimal code of the character. The final name is thus longer
than the requested device name, but the function does not reserve
sufficient space to store the new name. An attacker can therefore
generate a buffer overflow. [grav:2/4; 495052, BID-34539,
CVE-2009-1186]

A local attacker can therefore execute code with kernel privileges.

CHARACTERISTICS

Identifiers: 495051, 495052, BID-34536, BID-34539, CVE-2009-1185,
CVE-2009-1186, DSA 1772-1, FEDORA-2009-3711, FEDORA-2009-3712,
RHSA-2009:0427-01, SSA:2009-111-01, SSA:2009-111-02,
SUSE-SA:2009:020, SUSE-SA:2009:025, VIGILANCE-VUL-8642

http://vigilance.fr/vulnerability/udev-privilege-elevation-8642