Aug

Linux Kernel Bug: Bug 516949 – (CVE-2009-2692)

Rai

Linux

Release Found: Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG.

Problem

The flaw identified by CVE-2009-2692 (Red Hat Bugzilla bug 516949) describes an issue in the SOCKOPS_WRAP macro in the Linux kernel, versions 2.4.4 and later, and 2.6.0 and later. This macro did not initialize the sendpage operation in the proto_ops structure correctly. This flaw was addressed via the upstream git commits c18d0fe5 for the 2.4 kernel, and e6949583 for the 2.6 kernel. On systems without these patches, this flaw can lead to a local denial of service or privilege escalation.

This issue has been rated as having important security impact by the Red Hat Security Response Team.

Mitigation

Future updates will address this flaw for Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG. Until these updates are released, it is possible to reduce the risk and mitigate this flaw by blacklisting the kernel modules of the affected protocols.

The mitigation steps outlined below will not work if the modules are already loaded. If the modules are loaded and cannot be removed, for example, via “modprobe -r”, a reboot will be required before the changes take effect.

The “install” command is used to direct the system to run the “/bin/true” command instead of inserting the modules if they are called:

Red Hat Enterprise Linux 3

Add the following entry to the end of the /etc/modules.conf file:

install bluez /bin/true

Note: the kernel-unsupported package provides the bluez module. This module is not available if you do not have kernel-unsupported installed.

Red Hat Enterprise Linux 4 and 5

Add the following entries to the end of the /etc/modprobe.conf file:

install pppox /bin/true
install bluetooth /bin/true
install sctp /bin/true

The sctp module cannot be unloaded from a running kernel if the module is already loaded; therefore, the above changes for /etc/modprobe.conf on Red Hat Enterprise Linux 4 and 5 require a reboot to take effect.

Red Hat Enterprise MRG

Add the following entries to the end of the /etc/modprobe.conf file:

install pppox /bin/true
install bluetooth /bin/true
install appletalk /bin/true
install ipx /bin/true
install sctp /bin/true

The modules listed above are not exhaustive, but should prevent the publicly-circulated exploit for this issue from working correctly, as this is the list of protocols (relevant to Red Hat Enterprise Linux) known to be affected.

More information can be found here.