Bug 105103 (CVE-2005-2555)

Summary: VUL-0: CVE-2005-2555: kernel: missing CAP_NET_ADMIN restrictions on socket policy access
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-2555: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: sockpolicy-restrict.patch

Description Ludwig Nussel 2005-08-17 06:54:53 UTC 
We received the following report via vendor-sec.
The issue is public.

Date: Tue, 16 Aug 2005 22:04:54 +0200
From: Martin Pitt <martin.pitt@ubuntu.com>
To: Vendor Security <vendor-sec@lst.de>
Subject: [vendor-sec] Fwd: Re: CAN request for kernel priv escalation

Hi!

FYI.

Martin

----- Forwarded message from "Steven M. Christey" <coley@linus.mitre.org> -----

Date: Tue, 16 Aug 2005 13:16:56 -0400 (EDT)
From: "Steven M. Christey" <coley@linus.mitre.org>
To: Martin Pitt <martin.pitt@ubuntu.com>
Cc: cve@mitre.org
Subject: Re: CAN request for kernel priv escalation
X-Spam-Status: No, score=1.1 required=4.0 tests=AWL,BAYES_60 autolearn=no 
	version=3.0.3


On Tue, 16 Aug 2005, Martin Pitt wrote:

> While preparing updated kernels for CAN-2005-2456, Herbert Xu
> discovered that the setting of socket policies was not restricted at
> all:
>
> http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6fc0b4a7a73a81e74d0004732df358f4f9975be2

Use CAN-2005-2555

======================================================
Candidate: CAN-2005-2555
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2555
Reference: CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6fc0b4a7a73a81e74d0004732df358f4f9975be2
Reference: CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6fc0b4a7a73a81e74d0004732df358f4f9975be2

Linux kernel 2.6.x does not properly restrict socket policy access to
users with the CAP_NET_ADMIN capability, which could allow local users
to conduct unauthorized activities via (1) ipv4/ip_sockglue.c and (2)
ipv6/ipv6_sockglue.c.



- Steve

----- End forwarded message -----

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org
Comment 1 Marcus Meissner 2005-08-17 07:17:22 UTC 
Created attachment 46233 [details]
sockpolicy-restrict.patch

git extract
Comment 2 Olaf Kirch 2005-08-17 09:14:30 UTC 
Karsten, can you apply this to all trees, please? Thanks!
Comment 3 Karsten Keil 2005-08-17 12:02:15 UTC 
All 2.6 trees I think, I did find the policy stuff in our 2.4 versions ?
Comment 4 Olaf Kirch 2005-08-17 12:07:40 UTC 
Right, none of this existed in 2.4
Comment 5 Karsten Keil 2005-08-17 12:51:31 UTC 
HEAD (SL10) - already here  
SLES9.SP3 - done  
SLES9.SP2/9.1 - done 
9.3 done 
9.2 done 
 
hope I didn't forgot one.
Comment 6 Karsten Keil 2005-08-17 15:20:16 UTC 
So my part is done.
Comment 7 Marcus Meissner 2005-08-19 09:00:21 UTC 
thanks!  
 
-> meissner for tracking
Comment 8 Marcus Meissner 2005-09-01 14:42:25 UTC 
updates released + advisory
Comment 9 Thomas Biege 2009-10-13 20:37:42 UTC 
CVE-2005-2555: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)