search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Linux kernel contains race condition via ptrace/procfs/execve

Vulnerability Note VU#176888

Original Release Date: 2001-07-18 | Last Revised: 2002-05-20

Overview

Unprivileged local users can use the ptrace function to take advantage of a privileged program, while that program is performing a privileged operation, to gain privileged access.

Description

Ptrace is a function, which is often used for debugging, that allows one process to attach to another and monitor or modify its execution state and memory. This vulnerability exploits a race condition that allows an attacker to use ptrace, or similar function (procfs), to attach to and, thus, modify a running setuid process. This enables the attacker to execute arbitratry code with elevated (root) privilege. Linux kernel version 2.2.18 or before are vulnerable to this flaw. Any Linux product that is dependent on this kernel is, therefore, vulnerable.

Impact

Unprivileged local users can gain privileged (root) access.

Solution

Upgrade the Linux kernel to version 2.2.19 or later. The release notes for Linux 2.2.19 at http://www.linux.org.uk/VERSION/relnotes.2219.html describe the security fix. For users of specific Linux vendors, use the vendor-specific upgrades for convenience and consistency.

Vendor Information

176888
 
Expand all

Caldera Affected

Notified:  April 03, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Caldera provides a fix to this vulnerability at http://www.caldera.com/support/security/advisories/CSSA-2001-012.0.txt.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva Affected

Notified:  April 19, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Conectiva's fix for this vulnerability is at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000394.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Affected

Notified:  April 16, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Debian provides a fix to this vulnerability at http://www.debian.org/security/2001/dsa-047.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Immunix Affected

Notified:  March 26, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Immunix provides a fix to this vulnerability at http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-010-01.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft Affected

Notified:  April 17, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

MandrakeSoft's fix for this vulnerability is at http://www.linux-mandrake.com/en/updates/2001/MDKSA-2001-037.php3?dis=7.0.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD Affected

Notified:  June 15, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

NetBSD has published Security Advisory 2001-009 to address this issue. For more information, please see

Progency Linux Systems Affected

Notified:  April 10, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Progency Linux Systems provides a fix for this vulnerability at http://www.securityfocus.com/advisories/3206.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Affected

Notified:  April 10, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat provides a fix for this vulnerability at http://www.redhat.com/support/errata/RHSA-2001-047.html. This provides an update of the original announcement, which did not fix the vulnerability, at http://www.redhat.com/support/errata/RHSA-2001-013.html.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Affected

Notified:  May 17, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SuSE provides a fix to this vulnerability at http://www.suse.de/de/support/security/2001_018_kernel_txt.html.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Affected

Notified:  April 05, 2001 Updated: May 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Trustix provides a fix to this vulnerability at http://www.trustix.net/errata/misc/2001/TSL-2001-0003-kernel.asc.txt.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware Unknown

Updated:  May 20, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Wojciech Purczynski, who discovered this vulnerability, reported that Slackware Linux is vulnerable to this flaw.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 11 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Wojciech Purczynski for discovering this vulnerability.

This document was written by Andrew P. Moore.

Other Information

CVE IDs: CVE-2001-0317
Severity Metric: 25.99
Date Public: 2001-03-26
Date First Published: 2001-07-18
Date Last Updated: 2002-05-20 15:54 UTC
Document Revision: 29

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis