Contributed by weerd on from the evil-ipsec dept.
A bug has been found in the IPsec parts of ip_output.c that can lead to NULL pointer dereference in getsockopt(). On kernels from before 4.4, this could lead to a local privilege escalation on certain architectures. The currently supported releases, however, protect against this by no longer allowing userland to map the NULL page in the kernel, reducing the attack to a local Denial of Service by panicking the kernel.
Patches are available for OpenBSD 4.6 (patch, errata), OpenBSD 4.5 (patch, errata) and OpenBSD 4.4 (patch, errata). Of course, the patches are already available in -current, the commit message for the IPv4 case can be found below, the IPv6 commit is nearly identical. This issue affects all architectures.
Date: Wed, 28 Oct 2009 12:02:01 -0600 (MDT) From: Theo de Raadt
To: email@example.com Subject: CVS: cvs.openbsd.org: src CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2009/10/28 12:02:00 Modified files: sys/netinet : ip_output.c Log message: *NULL store in IP_AUTH_LEVEL, IP_ESP_TRANS_LEVEL, IP_ESP_NETWORK_LEVEL, IP_IPCOMP_LEVEL found by Clement LECIGNE, localhost root exploitable on userland/kernel shared vm machines (ie. i386, amd64, arm, sparc (but not sparc64), sh, ...) on OpenBSD 4.3 or older ok claudio
Please update your systems at your earliest convenience.
(Comments are closed)