oss-sec mailing list archives
Re: CVE-2010-2524 kernel: dns_resolver upcall security issue
From: akuster <akuster () mvista com>
Date: Mon, 02 Aug 2010 10:29:46 -1000
Eugene, So would it mean git commit 6103335de8afa5d780dcd512abe85c696af7b040 introduced the problem? - Armin On 08/01/2010 05:47 PM, Eugene Teo wrote:
CIFS has the ability to chase MS-DFS referrals. In order to do this it has to be able to resolve hostnames into IP addresses. For this, it uses the keys API to upcall to the cifs.upcall userspace helper. It then resolves the name and hands the address back to the kernel. The dns_resolver upcall currently used by CIFS is susceptible to cache stuffing. It's possible for a malicious user to stuff the keyring with the results of a lookup, and then trick the server into mounting a server of his choosing. I have assigned this with CVE-2010-2524. To be susceptible to this, you need CONFIG_CIFS_DFS_UPCALL enabled. Interesting bug. https://bugzilla.redhat.com/CVE-2010-2524 Upstream commit: http://git.kernel.org/linus/4c0c03ca54f72fdd5912516ad0a23ec5cf01bda7 Thanks, Eugene
Current thread:
- CVE-2010-2524 kernel: dns_resolver upcall security issue Eugene Teo (Aug 01)
- Re: CVE-2010-2524 kernel: dns_resolver upcall security issue akuster (Aug 02)
- Re: CVE-2010-2524 kernel: dns_resolver upcall security issue Eugene Teo (Aug 02)
- Re: CVE-2010-2524 kernel: dns_resolver upcall security issue akuster (Aug 02)