Linux Kernel 2.6.10/2.6.11 Radeon Driver radeon_check_and_fixup_offset race condition

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.7 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Linux Kernel 2.6.10/2.6.11. It has been classified as problematic. This affects the function radeon_check_and_fixup_offset of the component Radeon Driver. The manipulation leads to race condition.
This vulnerability is listed as CVE-2005-0532. The attack must be carried out from within the local network. In addition, an exploit is available.
Upgrading the affected component is recommended.
Details
A vulnerability was found in Linux Kernel 2.6.10/2.6.11 (Operating System). It has been rated as problematic. This issue affects the function radeon_check_and_fixup_offset of the component Radeon Driver. The manipulation with an unknown input leads to a race condition vulnerability. Using CWE to declare the problem leads to CWE-362. The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4, when running on 64-bit architectures, may allow local users to trigger a buffer overflow as a result of casting discrepancies between size_t and int data types.
The bug was discovered 02/24/2005. The weakness was presented 02/15/2005 by Eric Anholt with FreeBSD Team (Website). It is possible to read the advisory at kernel.org. The identification of this vulnerability is CVE-2005-0532 since 02/24/2005. Access to the local network is required for this attack. No form of authentication is needed for a successful exploitation. Technical details as well as a public exploit are known.
After immediately, there has been an exploit disclosed. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 53 days. During that time the estimated underground price was around $0-$5k. The vulnerability scanner Nessus provides a plugin with the ID 18598 (Mandrake Linux Security Advisory : kernel (MDKSA-2005:110)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Mandriva Local Security Checks and running in the context l.
Upgrading to version 2.6.11-RC4 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at kernel.org. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published 5 months after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (19329), Tenable (18598), SecurityFocus (BID 12555†), OSVDB (14871†) and Secunia (SA14270†). See VDB-1226, VDB-1227, VDB-1228 and VDB-1224 for similar entries. Be aware that VulDB is the high quality source for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.3VulDB Meta Temp Score: 5.7
VulDB Base Score: 6.3
VulDB Temp Score: 5.7
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Race conditionCWE: CWE-362
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Access: Public
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 18598
Nessus Name: Mandrake Linux Security Advisory : kernel (MDKSA-2005:110)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 65101
OpenVAS Name: SLES9: Security update for Linux kernel
OpenVAS File: 🔍
OpenVAS Family: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Upgrade: Kernel 2.6.11-RC4
Patch: kernel.org
Timeline
12/24/2004 🔍02/15/2005 🔍
02/15/2005 🔍
02/15/2005 🔍
02/15/2005 🔍
02/15/2005 🔍
02/15/2005 🔍
02/15/2005 🔍
02/21/2005 🔍
02/24/2005 🔍
02/24/2005 🔍
05/02/2005 🔍
06/30/2005 🔍
07/01/2005 🔍
12/18/2005 🔍
07/01/2019 🔍
Sources
Vendor: kernel.orgAdvisory: kernel.org
Researcher: Eric Anholt
Organization: FreeBSD Team
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2005-0532 (🔍)
GCVE (CVE): GCVE-0-2005-0532
GCVE (VulDB): GCVE-100-1223
X-Force: 19329
SecurityFocus: 12555 - Linux Kernel Multiple Local Buffer Overflow And Memory Disclosure Vulnerabilities
Secunia: 14270 - Linux Kernel Memory Disclosure and Privilege Escalation, Less Critical
OSVDB: 14871 - Linux Kernel reiserfs_copy_from_user_to_file_region Function Local Overflow
SecurityTracker: 1013188
Vulnerability Center: 10011 - Linux Kernel Buffer Overflow via the Reiserfs_copy_from_user_to_file_region Function, Medium
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 02/21/2005 12:57Updated: 07/01/2019 13:02
Changes: 02/21/2005 12:57 (99), 07/01/2019 13:02 (7)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.