CERT-MU Vulnerability Note VN-2008-18

'dell_rbu' Local Denial of Service Vulnerabilities in Linux Kernel

Original Issue Date: January 30, 2009

Severity Rating: Medium

Systems Affected

• Linux Kernel Versions prior to 2.6.27.13
• Linux Kernel 2.6.28.x prior to 2.6.28.2

Overview

Two vulnerabilities have been reported in Linux Kernel which allow a local attacker to cause denial of service conditions.

Description

These vulnerabilities are caused due to errors in the "read_rbu_image_type()" and "read_rbu_packet_size()" functions in drivers/firmware/dell_rbu.c file. A local, unauthenticated attacker could exploit these vulnerabilities by reading zero bytes from /sys/devices/platform/dell_rbu/image_type or /sys/devices/platform/dell_rbu/packet_size to cause a denial of service (DoS)

Solution

Update to version 2.6.27.13 or 2.6.28.2
Linux 2.6.27.13
Linux 2.6.28.2

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Vendor Information

kernel.org
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.13
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.2

CVE Name

CVE-2009-0322

References

kernel.org
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.13
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.2

SecurityFocus
http://www.securityfocus.com/bid/33428/

Secunia
http://secunia.com/advisories/33656