Linux kernel updates close DoS security holes
The Linux kernel 2.6.20.3 removes two vulnerabilities in the Netfilter module, which allowed a system to be brought down and certain filter rules to be circumvented. Thus a null pointer dereference in the module net/netfilter/nfnetlink_log.c leads to a kernel panic. All that is said then to be required to induce a crash is to send a modified packet to the system.
Kernel 2.6.20.2 already had to remove a null pointer dereference in the function ipv6_getsockopt_sticky in the module net/ipv6/ipv6_sockglue.c. In this case too it had been possible to provoke a kernel panic. There are conflicting reports, however, on whether the vulnerability can, in addition to working locally, also be exploited remotely. For its part US-CERT assumes that the vulnerability can be triggered through a network.
The last mentioned hole at least has already been removed with new kernel packages by some Linux distributors. Switching off IPv6 will also do as a workaround. There is a how-to manual available for Suse at: Disabling IPv6 permanently; for Red Hat, please consult: "How do I disable the IPv6 protocol?".
A bug in the function ipv6_conntrack_in in the module net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c is moreover said to allow fragmented IPv6 to be made to appear as "established" to the Netfilter. This should make it possible to initiate a connection from outside, despite the rules not allowing for this.
- ChangeLog-2.6.20.3, ChangeLog of Kernel.org
- Linux Kernel vulnerable to DoS via the ipv6_getsockopt_sticky() function, vulnerability note by US-CERT
- Fedora Core 6 Update: kernel-2.6.20-1.2925.fc6, security report by Fedora
(ehe)