Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:8212
HistoryApr 03, 2005 - 12:00 a.m.

Information leak in the Linux kernel ext2 implementation

2005-04-0300:00:00
vulners.com
21

EPSS

0

Percentile

10.1%

Description: Information leak in the Linux kernel ext2 implementation
References: CAN-2005-0400
Authors: Mathieu Lafon <[email protected]>
Romain Francoise <[email protected]>

Arkoon Security Team Advisory - March 25, 2005
http://arkoon.net/advisories/ext2-make-empty-leak.txt
Revision: 1.0

  1. Description

    The function ext2_make_empty() used in the Linux implementation of
    the ext2 filesystem is vulnerable to an information leak. Upon
    directory creation, a new block is obtained from kernel memory to
    store the initial directory entries ('.' and '…'). This block is
    used and written to disk uninitialized, leading to an information
    leak in the block's slack space.

    Depending on block size, up to 4072 (4096 - 2 * 12) bytes of kernel
    memory can be leaked on each directory creation. This quantity
    then decreases when additional entries are added to the directory
    block.

    Note: since the ext2 implementation uses the dir-in-pagecache
    design, any part of kernel memory is susceptible to be leaked, not
    only old disk/filesystem data.

  2. Impact

    Leaked kernel memory can be found in ext2 filesystems; either on
    hard drives, removable media (USB thumb drives, flash cards),
    initrd images, UML filesystem images, etc…

    A quick scan reveals that most ext2 images found on the Internet
    contain information that was not meant to be distributed (ranging
    from xterm scrollback data to email tidbits).

  3. Affected versions

    Linux 2.4.x series: all versions up to 2.4.29 (fixed in 2.4.30-rc2)
    Linux 2.6.x series: all versions up to 2.6.11.5 (fixed in 2.6.11.6)

  4. Vendor response

    This vulnerability was acknowledged by the Kernel Security Team
    ([email protected]) and fixed in versions 2.4.30-rc2 and 2.6.11.6.

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the name CAN-2005-0400 to this issue.

  5. Timeline

    03/15/2005 - Vulnerability discovered
    03/16/2005 - Vulnerability details sent to [email protected]
    03/16/2005 - Vulnerability confirmed by kernel maintainers
    03/25/2005 - Linux 2.6.11.6 released with fix
    03/25/2005 - Linux 2.4.30-rc2 released with fix
    04/01/2005 - Public disclosure

  6. Credits

    This vulnerability was discovered by Romain Francoise and Mathieu
    Lafon of the Arkoon Security Team (http://www.arkoon.com/&#41;.

    Thanks to Andrew Morton, Marcelo Tosatti, Linus Torvalds, Alan Cox
    and Chris Wright for their quick response.

  7. About us

    Arkoon Network Security's Security Team provides security
    intelligence to Arkoon's departments, partners and clients, and to
    the security community at large.

    For further information, see http://www.arkoon.com/.

  8. Legal notices

    Copyright (C) 2005 Arkoon Network Security

    Disclaimer: this document and all information therein are provided
    "as is" without warranty of any kind, whether express or implied.

    Arkoon Network Security does not warrant or assume any legal
    liability or responsibility for the accuracy or completeness of
    this information, nor for the possible damage caused by the use of
    it.

EPSS

0

Percentile

10.1%