oss-sec mailing list archives
CVE-2012-3520 kernel: af_netlink: invalid handling of SCM_CREDENTIALS passing
From: Petr Matousek <pmatouse () redhat com>
Date: Wed, 22 Aug 2012 09:20:26 +0200
A flaw was found in the way Netlink messages without explicitly set SCM_CREDENTIALS were delivered. The kernel passes all-zero SCM_CREDENTIALS ancillary data to the receiver if the sender did not provide such data, instead of including the correct data from the peer (as it is the case with AF_UNIX). Programs that set SO_PASSCRED option on the Netlink socket and rely on SCM_CREDENTIALS for authentication might accept spoofed messages and perform privileged actions on behalf of the unprivileged attacker. Introduced in: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=16e572626961 Upstream fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=e0e3cea46d31 Acknowledgements: Red Hat would like to thank Pablo Neira Ayuso for for reporting this issue. Thanks, -- Petr Matousek / Red Hat Security Response Team
Current thread:
- CVE-2012-3520 kernel: af_netlink: invalid handling of SCM_CREDENTIALS passing Petr Matousek (Aug 22)