CVE-2010-2524

The DNS resolution functionality in the CIFS implementation in the Linux kernel before 2.6.35, when CONFIG_CIFS_DFS_UPCALL is enabled, relies on a user's keyring for the dns_resolver upcall in the cifs.upcall userspace helper, which allows local users to spoof the results of DNS queries and perform arbitrary CIFS mounts via vectors involving an add_key call, related to a "cache stuffing" issue and MS-DFS referrals.

From the Ubuntu Security Team

David Howells discovered that DNS resolution in CIFS could be spoofed. A local attacker could exploit this to control DNS replies, leading to a loss of privacy and possible privilege escalation.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
linux	10.10 maverick	Not affected
	10.04 LTS lucid	Fixed 2.6.32-25.43
	9.10 karmic	Fixed 2.6.31-22.67
	9.04 jaunty	Ignored
	8.04 LTS hardy	Not affected
	6.06 LTS dapper	Not in release
linux-ec2	10.10 maverick	Ignored end of life
	10.04 LTS lucid	Fixed 2.6.32-309.18
	9.10 karmic	Fixed 2.6.31-307.21
	8.04 LTS hardy	Not in release
	6.06 LTS dapper	Not in release
linux-fsl-imx51	10.10 maverick	Not in release
	10.04 LTS lucid	Fixed 2.6.31-608.22
	9.10 karmic	Fixed 2.6.31-112.30
	8.04 LTS hardy	Not in release
	6.06 LTS dapper	Not in release
linux-lts-backport-maverick	10.10 maverick	Not in release
	10.04 LTS lucid	Fixed 2.6.35-25.44~lucid1
	9.10 karmic	Not in release
	8.04 LTS hardy	Not in release
	6.06 LTS dapper	Not in release
linux-source-2.6.15	10.10 maverick	Not in release
	10.04 LTS lucid	Not in release
	9.10 karmic	Not in release
	9.04 jaunty	Not in release
	8.04 LTS hardy	Not in release
	6.06 LTS dapper	Not affected

Notes

sbeattie

according to oss-security discussion, git commit 6103335de8afa5d780dcd512abe85c696af7b040 introduced the problem, so 2.6.25-rc1 onwards.

smb

Jaunty *may* be affected, but the problem is that there is no infra- structure for thread credentials, so even if it is possible to back- port the whole thing it would be completely different and prone to be incorrect. That together with the fact that Jaunty is EOL more or less I don't think we should put in much effort there.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
linux	Upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=4c0c03ca54f72fdd5912516ad0a23ec5cf01bda7 Karmic: http://chinstrap.myasnchisdf.eu.org/~smb/CVEs/CVE-2010-2524/patches/karmic/linux/0001-CIFS-Fix-a-malicious-redirect-problem-in-the-DNS-looku.txt

Severity score breakdown

Parameter	Value
Base score	7.8 · High
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-1074-1
Linux kernel vulnerabilities
25 February 2011

USN-1083-1
Linux kernel vulnerabilities
3 March 2011

USN-1000-1
Linux kernel vulnerabilities
19 October 2010

USN-1074-2
Linux kernel vulnerabilities
28 February 2011

Other references

https://www.cve.org/CVERecord?id=CVE-2010-2524

Cvss 3 Severity Score