Bug 776925 (CVE-2012-3520) - VUL-1: CVE-2012-3520: kernel-source: netlink msg spoofing
Summary: VUL-1: CVE-2012-3520: kernel-source: netlink msg spoofing
Status: RESOLVED FIXED
Alias: CVE-2012-3520
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-22 12:28 UTC by Matthias Weckbecker
Modified: 2020-01-21 15:53 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-08-22 12:28:55 UTC 
It has recently been reported [1] that programs that trust 'SCM_CREDENTIALS'
in order to e.g. perform privileged tasks, could potentially be tricked into
accepting spoofed messages via a flaw in the netlink code.

An upstream commit to address this flaw is available at [2].

[1] http://seclists.org/oss-sec/2012/q3/271
[2] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;
h=e0e3cea46d31
Comment 3 Matthias Weckbecker 2012-08-22 12:37:09 UTC 
None of our enterprise products are affected by this flaw. Please confirm.
Comment 4 Marcus Meissner 2012-08-22 13:00:25 UTC 
Correct. This was introduced post 3.0, so it does not affect SLES 11 SP2 or earlier SLE products.

So affected: openSUSE 12.1 and 12.2.
Comment 5 Matthias Weckbecker 2012-08-22 13:01:05 UTC 
[2] mentions NetworkManager as well as avahi to be among the applications
which might accept such crafted messages.

After a quick peek I believe that udevd would be an additional candidate.
Revival of CVE-2009-1185 possibly.
Comment 6 Matthias Weckbecker 2012-08-22 13:02:01 UTC 
Thanks, Marcus!
Comment 7 Matthias Weckbecker 2012-08-23 08:36:54 UTC 
(In reply to comment #5)
> After a quick peek I believe that udevd would be an additional candidate.
> Revival of CVE-2009-1185 possibly.

I had a closer look into udev out of curiosity. Theoretically, it would be
affected too. However, it does fortunately check nl_pid (man 7 netlink) to
be 0. So it's safe.
Comment 8 Benjamin Poirier 2012-09-21 20:35:56 UTC 
Seems like the fix didn't make the cut for 3.4.11. I think it will be
included in the next stable kernel, but in the meantime, here it is.

---

Patch-mainline: v3.6-rc3
Git-commit: e0e3cea46d31d23dc40df0a49a7a2c04fe8edfea
            af_netlink: force credentials passing [CVE-2012-3520]

Introduced in v3.2-rc1 by
16e5726 af_unix: dont send SCM_CREDENTIALS by default

SLES10_SP4_BRANCH
SLE11-SP1-LTSS
SLE11-SP2
openSUSE-12.1
	all unaffected
openSUSE-12.2
	applied patches.fixes/af_netlink-force-credentials-passing-CVE-2012-3520.patch
Comment 9 Swamp Workflow Management 2012-10-12 14:10:37 UTC 
openSUSE-SU-2012:1330-1: An update that solves two vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 762693,765230,771392,772566,772831,772923,773406,774523,774859,776925,778630,779432,780624,781134
CVE References: CVE-2012-3412,CVE-2012-3520
Sources used:
openSUSE 12.2 (src):    kernel-docs-3.4.11-2.16.2, kernel-source-3.4.11-2.16.1, kernel-syms-3.4.11-2.16.1
Comment 10 Marcus Meissner 2012-10-25 21:56:08 UTC 
ok, thanks!
Comment 11 Swamp Workflow Management 2013-02-09 14:06:02 UTC 
openSUSE-SU-2013:0261-1: An update that solves one vulnerability and has 14 fixes is now available.

Category: security (moderate)
Bug References: 569991,770763,771392,773831,774859,776925,778630,780624,781327,783615,783965,784192,792500,793671,799209
CVE References: CVE-2012-3520
Sources used:
openSUSE 12.2 (src):    kernel-docs-3.4.28-2.20.2, kernel-source-3.4.28-2.20.1, kernel-syms-3.4.28-2.20.1