Linux kernel contains race condition via ptrace/procfs/execve

Overview

Unprivileged local users can use the ptrace function to take advantage of a privileged program, while that program is performing a privileged operation, to gain privileged access.

Description

Ptrace is a function, which is often used for debugging, that allows one process to attach to another and monitor or modify its execution state and memory. This vulnerability exploits a race condition that allows an attacker to use ptrace, or similar function (procfs), to attach to and, thus, modify a running setuid process. This enables the attacker to execute arbitratry code with elevated (root) privilege. Linux kernel version 2.2.18 or before are vulnerable to this flaw. Any Linux product that is dependent on this kernel is, therefore, vulnerable.

---

Impact

Unprivileged local users can gain privileged (root) access.

---

Solution

Upgrade the Linux kernel to version 2.2.19 or later. The release notes for Linux 2.2.19 at <http://www.linux.org.uk/VERSION/relnotes.2219.html&gt; describe the security fix. For users of specific Linux vendors, use the vendor-specific upgrades for convenience and consistency.

---

Vendor Information

176888

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Caldera __ Affected

Notified: April 03, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Caldera provides a fix to this vulnerability at <http://www.caldera.com/support/security/advisories/CSSA-2001-012.0.txt&gt;.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23176888 Feedback>).

Conectiva __ Affected

Notified: April 19, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Conectiva’s fix for this vulnerability is at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000394.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23176888 Feedback>).

Debian __ Affected

Notified: April 16, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Debian provides a fix to this vulnerability at <http://www.debian.org/security/2001/dsa-047&gt;.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23176888 Feedback>).

Immunix __ Affected

Notified: March 26, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Immunix provides a fix to this vulnerability at <http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-010-01&gt;.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23176888 Feedback>).

MandrakeSoft __ Affected

Notified: April 17, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

MandrakeSoft’s fix for this vulnerability is at <http://www.linux-mandrake.com/en/updates/2001/MDKSA-2001-037.php3?dis=7.0&gt;.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23176888 Feedback>).

NetBSD __ Affected

Notified: June 15, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

NetBSD has published Security Advisory 2001-009 to address this issue. For more information, please see

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-009.txt.asc

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23176888 Feedback>).

Progency Linux Systems __ Affected

Notified: April 10, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Progency Linux Systems provides a fix for this vulnerability at <http://www.securityfocus.com/advisories/3206&gt;.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23176888 Feedback>).

Red Hat __ Affected

Notified: April 10, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat provides a fix for this vulnerability at <http://www.redhat.com/support/errata/RHSA-2001-047.html&gt;. This provides an update of the original announcement, which did not fix the vulnerability, at <http://www.redhat.com/support/errata/RHSA-2001-013.html&gt;.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23176888 Feedback>).

SuSE __ Affected

Notified: May 17, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SuSE provides a fix to this vulnerability at <http://www.suse.de/de/support/security/2001_018_kernel_txt.html&gt;.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23176888 Feedback>).

Trustix __ Affected

Notified: April 05, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Trustix provides a fix to this vulnerability at http://www.trustix.net/errata/misc/2001/TSL-2001-0003-kernel.asc.txt.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23176888 Feedback>).

Slackware __ Unknown

Updated: May 20, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Wojciech Purczynski, who discovered this vulnerability, reported that Slackware Linux is vulnerable to this flaw.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23176888 Feedback>).

View all 11 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.linux.org.uk/VERSION/relnotes.2219.html&gt;
• <http://www.securityfocus.com/archive/1/171708&gt;
• <http://www.ciac.org/ciac/bulletins/l-076.shtml&gt;

Acknowledgements

Thanks to Wojciech Purczynski for discovering this vulnerability.

This document was written by Andrew P. Moore.

Other Information

CVE IDs:	CVE-2001-0317
Severity Metric:	25.99 Date Public: