Bug 687812 (CVE-2011-1585) - VUL-0: CVE-2011-1585: kernel: cifs session reuse
Summary: VUL-0: CVE-2011-1585: kernel: cifs session reuse
Status: RESOLVED FIXED
Alias: CVE-2011-1585
Product: SUSE Security Incidents
Classification: Novell Products
Component: General (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Deadline: 2011-08-08
Assignee: Forgotten User b5BnQSUi71
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/44698/
Whiteboard: maint:released:sle10-sp4:40821 maint:...
Keywords:
Depends on: 683282
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-15 09:46 UTC by Ludwig Nussel
Modified: 2020-07-29 05:53 UTC (History)
4 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2011-04-15 09:46:05 UTC 
When one user has mounted a cifs share that requires authentication,
another user could mount the same share without knowing the
correct password. The following kernel commits fix that:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=4ff67b720c02c36e54d55b88c2931879b7db1cd2
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=fc87a40677bbe0937e2ff0642c7e83c9a4813f3d
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=24e6cf92fde1f140d8eb0bf7cd24c2c78149b6b2

A way to exploit this would be through mount.cifs if it's
installed setuid root.
Comment 1 Forgotten User b5BnQSUi71 2011-04-18 05:05:47 UTC 
I guess nothing more is required as the fixes have already been committed to required branches - or did I miss any branch or something?
Comment 2 Sebastian Krahmer 2011-04-18 07:11:06 UTC 
CVE-2011-1585
Comment 3 Ludwig Nussel 2011-04-18 09:33:11 UTC 
(In reply to comment #1)
> I guess nothing more is required as the fixes have already been committed to
> required branches - or did I miss any branch or something?

all done from your side then.

Do you know of any exploit vector besides making mount.cifs setuid root?
I don't consider the original report of having a shared root account a security issue as a malicious root could do anything anyways.
Comment 4 Forgotten User b5BnQSUi71 2011-04-18 12:12:19 UTC 
No, that is the only exploit vector possible. Without root access and setuid root mount.cifs, it should not be possible for a normal user to steal/share existing session of another user.
Comment 5 Forgotten User b5BnQSUi71 2011-04-22 11:19:15 UTC 
Marking it FIXED as the fixes have gone it already.
Comment 6 Marcus Meissner 2011-05-19 12:25:12 UTC 
We have just released a kernel update for SUSE Linux Enterprise 10 SP4 that mentions/fixes this bug. The released version is 2.6.16.60-0.87.1.
Comment 7 Swamp Workflow Management 2011-05-19 13:59:11 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (ppc)
SLE-SDK 10-SP4 (ppc)
SLE-SERVER 10-SP4 (ppc)
Comment 8 Swamp Workflow Management 2011-05-19 14:18:28 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (ia64)
SLE-SDK 10-SP4 (ia64)
SLE-SERVER 10-SP4 (ia64)
Comment 9 Swamp Workflow Management 2011-05-19 15:09:43 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (x86_64)
SLE-DESKTOP 10-SP4 (x86_64)
SLE-SDK 10-SP4 (x86_64)
SLE-SERVER 10-SP4 (x86_64)
Comment 10 Swamp Workflow Management 2011-05-19 15:15:58 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (s390x)
SLE-SERVER 10-SP4 (s390x)
Comment 11 Swamp Workflow Management 2011-05-19 15:35:43 UTC 
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (i386)
SLE-DESKTOP 10-SP4 (i386)
SLE-SDK 10-SP4 (i386)
SLE-SERVER 10-SP4 (i386)
Comment 12 Michal Hocko 2011-06-29 10:08:42 UTC 
Pushed to SLES10-SP3-TD branch as well.
Comment 13 Swamp Workflow Management 2011-08-01 11:35:49 UTC 
The SWAMPID for this issue is 42440.
This issue was rated as important.
Please submit fixed packages until 2011-08-08.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 14 Marcus Meissner 2011-08-12 09:27:25 UTC 
We just released a kernel update for SUSE Linux Enterprise 10 SP4 that
mentions/fixes this bug. The released kernel version is 2.6.16.60-0.89.1.
Comment 15 Swamp Workflow Management 2011-08-12 10:58:53 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (ppc)
SLE-SDK 10-SP4 (ppc)
SLE-SERVER 10-SP4 (ppc)
Comment 16 Swamp Workflow Management 2011-08-12 11:24:22 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (x86_64)
SLE-DESKTOP 10-SP4 (x86_64)
SLE-SDK 10-SP4 (x86_64)
SLE-SERVER 10-SP4 (x86_64)
Comment 17 Swamp Workflow Management 2011-08-12 11:37:26 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (ia64)
SLE-SDK 10-SP4 (ia64)
SLE-SERVER 10-SP4 (ia64)
Comment 18 Swamp Workflow Management 2011-08-12 11:43:34 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (s390x)
SLE-SERVER 10-SP4 (s390x)
Comment 19 Swamp Workflow Management 2011-08-12 12:30:03 UTC 
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (i386)
SLE-DESKTOP 10-SP4 (i386)
SLE-SDK 10-SP4 (i386)
SLE-SERVER 10-SP4 (i386)
Comment 20 Marcus Meissner 2011-09-20 14:35:20 UTC 
We just released a kernel update for SUSE Linux Enterprise 10 SP3 that
mentions/fixes this bug. The released kernel version is 2.6.16.60-0.83.2.
Comment 21 Swamp Workflow Management 2011-09-20 16:14:11 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (ia64)
SLE-SDK 10-SP3 (ia64)
SLE-SERVER 10-SP3 (ia64)
Comment 22 Swamp Workflow Management 2011-09-20 17:14:56 UTC 
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (i386)
SLE-SDK 10-SP3 (i386)
SLE-SERVER 10-SP3 (i386)
Comment 23 Swamp Workflow Management 2011-09-20 17:28:48 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (ppc)
SLE-SDK 10-SP3 (ppc)
SLE-SERVER 10-SP3 (ppc)
Comment 24 Swamp Workflow Management 2011-09-20 18:07:22 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SDK 10-SP3 (x86_64)
SLE-SERVER 10-SP3 (x86_64)
Comment 25 Swamp Workflow Management 2011-09-20 18:14:25 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (s390x)
SLE-SERVER 10-SP3 (s390x)
Comment 26 Swamp Workflow Management 2015-04-30 19:07:23 UTC 
SUSE-SU-2015:0812-1: An update that fixes 39 vulnerabilities is now available.

Category: security (important)
Bug References: 677286,679812,681175,681999,683282,685402,687812,730118,730200,738400,758813,760902,769784,823260,846404,853040,854722,863335,874307,875051,880484,883223,883795,885422,891844,892490,896390,896391,896779,902346,907818,908382,910251,911325
CVE References: CVE-2011-1090,CVE-2011-1163,CVE-2011-1476,CVE-2011-1477,CVE-2011-1493,CVE-2011-1494,CVE-2011-1495,CVE-2011-1585,CVE-2011-4127,CVE-2011-4132,CVE-2011-4913,CVE-2011-4914,CVE-2012-2313,CVE-2012-2319,CVE-2012-3400,CVE-2012-6657,CVE-2013-2147,CVE-2013-4299,CVE-2013-6405,CVE-2013-6463,CVE-2014-0181,CVE-2014-1874,CVE-2014-3184,CVE-2014-3185,CVE-2014-3673,CVE-2014-3917,CVE-2014-4652,CVE-2014-4653,CVE-2014-4654,CVE-2014-4655,CVE-2014-4656,CVE-2014-4667,CVE-2014-5471,CVE-2014-5472,CVE-2014-9090,CVE-2014-9322,CVE-2014-9420,CVE-2014-9584,CVE-2015-2041
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    kernel-bigsmp-2.6.16.60-0.132.1, kernel-debug-2.6.16.60-0.132.1, kernel-default-2.6.16.60-0.132.1, kernel-kdump-2.6.16.60-0.132.1, kernel-kdumppae-2.6.16.60-0.132.1, kernel-smp-2.6.16.60-0.132.1, kernel-source-2.6.16.60-0.132.1, kernel-syms-2.6.16.60-0.132.1, kernel-vmi-2.6.16.60-0.132.1, kernel-vmipae-2.6.16.60-0.132.1, kernel-xen-2.6.16.60-0.132.1, kernel-xenpae-2.6.16.60-0.132.1