-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2011-0021

Multiple Linux Kernel Vulnerabilities [1,2,3]

Version history:
25.11.2011 Initial publication

Summary
=======
Linux kernel is prone to multiple 'hardlink' stack-based buffer-overflow vulnerabilities [1] and multiple integer-overflow vulnerabilities [2] because of a failure to properly bounds check user-supplied input. Specifically, hardlink fails to properly handle deeply nested directories. 

Attackers may leverage these issues to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

The Linux Kernel is also prone to an unauthorized-access vulnerability [3]. This issue occurs because the 'kvm_vm_ioctl_assign_device()' function failed to check user requesting assignment's privileges. 

An attacker with authenticated access to the affected application can exploit this issue to load arbitrary modules on the affected computer. Failed exploit attempts will cause a denial-of-service condition.

CVE                 CVE-2011-3630(Candidate)[1]
Severity Level[2]:  CVSS2 Base 6.8
Remote              Yes
Local               No
Credibility         Vendor Confirmed
Ease                No Exploit Available
Authentication      Required

CVE                 CVE-2011-3631(Candidate)[2]
Severity Level[2]:  CVSS2 Base 6.8
Remote              Yes
Local               No
Credibility         Vendor Confirmed
Ease                No Exploit Available
Authentication      Not Required

CVE                 CVE-2011-4347(Candidate)[3]
Severity Level[2]:  CVSS2 Base 6.5
Remote              Yes
Local               No
Credibility         Vendor Confirmed
Ease                Exploits Available
Authentication      Required

Potential impact
================

Scenario 1: (CVE-2011-3630 and CVE-2011-3631)

1. An attacker creates a directory tree designed to leverage the issue and to perform some action on their behalf.
2. The attacker sends the information to an unsuspecting victim and entices them to run the hardlink program on the tree.
3. The application fails to properly handle the malformed data, and a buffer is overflowed.

A successful exploit will result in attacker-supplied code running with the privileges of the victim.

Scenario 1: (CVE-2011-4347)

1. An attacker locates a computer running a vulnerable version of the application.
2. The attacker acquires authenticated access to the affected application as a user '/dev/kvm' being set to 666.
3. The attacker retains this capability and can then perform privileged actions on the vulnerable system.

Successful exploits may lead to other attacks.

Vulnerable Systems
==================
Among others:

Linux kernel  2.4.x.x - 2.6.x.x
(see references for details [1,2,3])

What can you do?
================

Solutions:

Fixes are available.

What to tell your users?
========================
Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources.  Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution.

More information
================
[1] https://bugzilla.redhat.com/show_bug.cgi?id=746709
[2] https://bugzilla.redhat.com/show_bug.cgi?id=746710
[3] https://bugzilla.redhat.com/show_bug.cgi?id=756084


Best regards,

CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383

-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.39

iQJXBAEBAgBBBQJOz42pOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp
b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4Oqrg/9ES6miQUv
lVrGjLStt7e/JOGHSS0YrcIKMxUZ1BDT8tX9lptr1uu3aSr7M1xoyo92o7yVazc3
0lCnX1pyz8mITTjhpSSQrFz+VVuvdB4iIwflq4NIB+NJjXj1E1oNHXAPY6e1dqBv
o0TtP8sXslCOWve67sJhbH5Xnc1hQTYu9Y2Wx2ykkur7+LAJId3jPm+v9lgFTHNd
uT8PuBFJF438yHbK10/TmnTMlwRoxEgBlSs4lw/VH7uhK8GgeAxOp83j78fkHtJ8
LenAAPntILfqWxhFh92ldYhXWkmnhKdfgTANriRWpVlL1Nn+sVeFSkWJYFZK12av
YNwytIQY2ADGmh0VSDxu47io2JJf7gT53rXcCl9wx5i9nnvO/4JxGj3PPvhAWi7k
i/VgvntTlGIBSULdSQhokIaSHsxb12GZFRNFZqoGRYt1OFHvWdvWr6ZJVtSsQ+mJ
tyXeMTGfziGKw7z1AbLN5Tq8UNUAxwe5X4omoOIQCZ5W0DBvp5txzjytBU9LHCFS
OIg/7G5ga2oYYJjzPKcJdW8jThJ0ApS/3tzqzy0rEry41F4Oc2KpDIQ4tFQOJl60
unwJRAnv9xbA56Lmw5fn3w+WWQW2Lycxf+O6OJIJuJiFAsyRY4u1Ype+H3x5b8Gm
74qrN8mwa3waaAPmm9mPDfhcHJFokP93Wxw=
=39+z
-----END PGP SIGNATURE-----