Executive Summary

Summary
Title Linux kernel RDS protocol vulnerability
Informations
NameVU#362983First vendor Publication2010-10-25
VendorVU-CERTLast vendor Modification2010-10-25
Severity (Vendor) N/ARevisionM

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score7.2Attack RangeLocal
Cvss Impact Score10Attack ComplexityLow
Cvss Expoit Score3.9AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#362983

Linux kernel RDS protocol vulnerability

Overview

The RDS protocol implementation of Linux kernels 2.6.30 through 2.6.38-rc8 contain a local privilege escalation vulnerability.

I. Description

Kernel functions fail to properly check if a user supplied address exists in the user segment of memory. By providing a kernel address to a socket call an unprivileged user can execute arbitrary code as root. Additional details can be found in the VSR Security Advisory.

II. Impact

An unprivileged local attacker can escalate their privileges to root.

III. Solution

Apply an update for the specific Linux distribution used.

If the RDS protocol is not needed, it can be disabled with the following command run as root.

echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds

Vendor Information

VendorStatusDate NotifiedDate Updated
Debian GNU/LinuxAffected2010-10-25
Gentoo LinuxAffected2010-10-25
Red Hat, Inc.Affected2010-10-25
Slackware Linux Inc.Affected2010-10-25
UbuntuAffected2010-10-25

References

http://www.vsecurity.com/resources/advisory/20101019-1/

Credit

Thanks to Dan Rosenberg of Virtual Security Research for researching and publishing the details of this vulnerability.

This document was written by Jared Allar.

Other Information

Date Public:2010-10-19
Date First Published:2010-10-25
Date Last Updated:2010-10-25
CERT Advisory:
CVE-ID(s):CVE-2010-3904
NVD-ID(s):CVE-2010-3904
US-CERT Technical Alerts:
Metric:20.84
Document Revision:12

Original Source

Url : http://www.kb.cert.org/vuls/id/362983

CWE : Common Weakness Enumeration

idName
CWE-20Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:22008
 
Oval ID: oval:org.mitre.oval:def:22008
Title: RHSA-2010:0792: kernel security update (Important)
Description: The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.
Family: unix Class: patch
Reference(s): RHSA-2010:0792-01
CESA-2010:0792
CVE-2010-3904
Version: 4
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): kernel
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21695
 
Oval ID: oval:org.mitre.oval:def:21695
Title: RHSA-2010:0842: kernel security and bug fix update (Important)
Description: The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.
Family: unix Class: patch
Reference(s): RHSA-2010:0842-02
CVE-2010-2803
CVE-2010-2955
CVE-2010-2962
CVE-2010-3079
CVE-2010-3081
CVE-2010-3084
CVE-2010-3301
CVE-2010-3432
CVE-2010-3437
CVE-2010-3442
CVE-2010-3698
CVE-2010-3705
CVE-2010-3904
Version: 172
Platform(s): Red Hat Enterprise Linux 6
Product(s): kernel
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20540
 
Oval ID: oval:org.mitre.oval:def:20540
Title: VMware ESX third party updates for Service Console packages glibc and dhcp
Description: The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3904
Version: 4
Platform(s): VMWare ESX Server 4.1
VMWare ESX Server 4.0
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23172
 
Oval ID: oval:org.mitre.oval:def:23172
Title: ELSA-2010:0842: kernel security and bug fix update (Important)
Description: The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.
Family: unix Class: patch
Reference(s): ELSA-2010:0842-02
CVE-2010-2803
CVE-2010-2955
CVE-2010-2962
CVE-2010-3079
CVE-2010-3081
CVE-2010-3084
CVE-2010-3301
CVE-2010-3432
CVE-2010-3437
CVE-2010-3442
CVE-2010-3698
CVE-2010-3705
CVE-2010-3904
Version: 57
Platform(s): Oracle Linux 6
Product(s): kernel
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23030
 
Oval ID: oval:org.mitre.oval:def:23030
Title: ELSA-2010:0792: kernel security update (Important)
Description: The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.
Family: unix Class: patch
Reference(s): ELSA-2010:0792-01
CVE-2010-3904
Version: 6
Platform(s): Oracle Linux 5
Product(s): kernel
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Os438

ExploitDB Exploits

idDescription
2010-10-19Linux RDS Protocol Local Privilege Escalation

OpenVAS Exploits

DateDescription
2012-03-16Name : VMSA-2011-0012.3 VMware ESXi and ESX updates to third party libraries and ESX...
File : nvt/gb_VMSA-2011-0012.nasl
2011-12-02Name : Fedora Update for kernel FEDORA-2011-16346
File : nvt/gb_fedora_2011_16346_kernel_fc14.nasl
2011-11-08Name : Fedora Update for kernel FEDORA-2011-15241
File : nvt/gb_fedora_2011_15241_kernel_fc14.nasl
2011-10-31Name : Fedora Update for kernel FEDORA-2011-14747
File : nvt/gb_fedora_2011_14747_kernel_fc14.nasl
2011-10-10Name : Fedora Update for kernel FEDORA-2011-12874
File : nvt/gb_fedora_2011_12874_kernel_fc14.nasl
2011-08-27Name : Fedora Update for kernel FEDORA-2011-11103
File : nvt/gb_fedora_2011_11103_kernel_fc14.nasl
2011-08-09Name : CentOS Update for kernel CESA-2010:0792 centos5 i386
File : nvt/gb_CESA-2010_0792_kernel_centos5_i386.nasl
2011-06-24Name : Fedora Update for kernel FEDORA-2011-6447
File : nvt/gb_fedora_2011_6447_kernel_fc13.nasl
2011-06-20Name : Fedora Update for kernel FEDORA-2011-7551
File : nvt/gb_fedora_2011_7551_kernel_fc14.nasl
2011-05-17Name : Fedora Update for kernel FEDORA-2011-6541
File : nvt/gb_fedora_2011_6541_kernel_fc14.nasl
2011-05-10Name : Ubuntu Update for linux-ti-omap4 USN-1119-1
File : nvt/gb_ubuntu_USN_1119_1.nasl
2011-03-15Name : Fedora Update for kernel FEDORA-2011-2134
File : nvt/gb_fedora_2011_2134_kernel_fc13.nasl
2011-03-07Name : Ubuntu Update for linux-lts-backport-maverick vulnerabilities USN-1083-1
File : nvt/gb_ubuntu_USN_1083_1.nasl
2011-02-11Name : Fedora Update for kernel FEDORA-2011-1138
File : nvt/gb_fedora_2011_1138_kernel_fc14.nasl
2010-12-28Name : Fedora Update for kernel FEDORA-2010-18983
File : nvt/gb_fedora_2010_18983_kernel_fc13.nasl
2010-12-23Name : Fedora Update for kernel FEDORA-2010-18506
File : nvt/gb_fedora_2010_18506_kernel_fc13.nasl
2010-12-09Name : Fedora Update for kernel FEDORA-2010-18493
File : nvt/gb_fedora_2010_18493_kernel_fc14.nasl
2010-12-02Name : Fedora Update for kernel FEDORA-2010-16826
File : nvt/gb_fedora_2010_16826_kernel_fc14.nasl
2010-11-16Name : SuSE Update for kernel SUSE-SA:2010:053
File : nvt/gb_suse_2010_053.nasl
2010-11-04Name : RedHat Update for kernel RHSA-2010:0792-01
File : nvt/gb_RHSA-2010_0792-01_kernel.nasl
2010-10-22Name : Ubuntu Update for Linux kernel vulnerabilities USN-1000-1
File : nvt/gb_ubuntu_USN_1000_1.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
69117Linux Kernel net/rds/page.c rds_page_copy_user() Function Local Privilege Esc...

Information Assurance Vulnerability Management (IAVM)

DateDescription
2011-10-27IAVM : 2011-A-0147 - Multiple Vulnerabilities in VMware ESX and ESXi
Severity : Category I - VMSKEY : V0030545

Nessus® Vulnerability Scanner

DateDescription
2014-06-13Name : The remote openSUSE host is missing a security update.
File : suse_11_3_kernel-101026.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0792.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-2009.nasl - Type : ACT_GATHER_INFO
2013-03-09Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1083-1.nasl - Type : ACT_GATHER_INFO
2013-03-08Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1093-1.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20101025_kernel_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20101110_kernel_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2011-10-14Name : The remote VMware ESXi / ESX host is missing one or more security-related pat...
File : vmware_VMSA-2011-0012.nasl - Type : ACT_GATHER_INFO
2011-06-13Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1119-1.nasl - Type : ACT_GATHER_INFO
2011-01-21Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_kernel-101102.nasl - Type : ACT_GATHER_INFO
2011-01-21Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_kernel-ec2-101103.nasl - Type : ACT_GATHER_INFO
2010-11-24Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0792.nasl - Type : ACT_GATHER_INFO
2010-11-18Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0842.nasl - Type : ACT_GATHER_INFO
2010-10-29Name : The remote openSUSE host is missing a security update.
File : suse_11_2_kernel-101026.nasl - Type : ACT_GATHER_INFO
2010-10-29Name : The remote Fedora host is missing a security update.
File : fedora_2010-16826.nasl - Type : ACT_GATHER_INFO
2010-10-26Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0792.nasl - Type : ACT_GATHER_INFO
2010-10-20Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1000-1.nasl - Type : ACT_GATHER_INFO