NetBSD and OpenBSD USER_LDT validation

user-ldt-validation (6222)

High Risk

Description:

NetBSD could allow a local attacker to gain elevated privileges and execute arbitrary code on the system, due to a vulnerability in the USER_LDT validation. This vulnerability is only present when the USER_LDT kernel configuration option is enabled in the GENERIC and GENERIC_LAPTOP kernel configurations shipped with NetBSD releases.

Platforms Affected:

• NetBSD, NetBSD 1.4
• NetBSD, NetBSD 1.5
• OpenBSD, OpenBSD 2.8

Remedy:

For NetBSD releases prior to NetBSD 1.4:
Upgrade to the latest version of NetBSD (1.4.3 or later), as listed in NetBSD Security Advisory 2001-002. See References.

For NetBSD-current prior to 2001-01-17:
Upgrade to the latest version of NetBSD (NetBSD-current dated 2001-01-17 or later), as listed in NetBSD Security Advisory 2001-002. See References.

For NetBSD-release-1.4:
Upgrade to the latest version of NetBSD (NetBSD-release-1.4 dated 2001-01-18 or later), as listed in NetBSD Security Advisory 2001-002. See References.

For NetBSD-release-1.5 prior to 2001-01-18:
Upgrade to the latest version of NetBSD (NetBSD-release-1.5 dated 2001-01-18 or later), as listed in NetBSD Security Advisory 2001-002. See References.

For OpenBSD, apply source code patches from the vendor. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Privileges

References:

• NetBSD Security Advisory 2001-002, Vulnerability in x86 USER_LDT validation at http://online.securityfocus.com/archive/1/163528.
• OpenBSD FTP site, USER_LDT source patch at ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/i386/022_userltd.patch.
• OpenBSD Security Fix: Mar 2, 2001, The USER_LDT kernel option allows an attacker to gain access to privileged areas of kernel memory. at http://www.openbsd.org/errata28.html#userldt.
• BID-2739: Multiple Vendor Call Gate Creation Input Validation Vulnerability
• CVE-2001-0268: The i386_set_ldt system call in NetBSD 1.5 and earlier, and OpenBSD 2.8 and earlier, when the USER_LDT kernel option is enabled, does not validate a call gate target, which allows local users to gain root privileges by creating a segment call gate in the Local Descriptor Table (LDT) with a target that specifies an arbitrary kernel address.
• OSVDB ID: 6141: Multiple BSD USER_LDT Kernel Option Memory Access
• US-CERT VU#358960: BSD i386_set_ldt syscall does not appropriately validate call gate targets

Reported:

Feb 16, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page