This issue is due to a failure in the application to perform proper authorization before permitting access to a privileged function.
Successful exploitation will permit a local attacker to bypass intended IPSec policies, set invalid policies, and cause a denial of service when adding policies until kernel memory is exhausted.
Note that an attacker can use this vulnerability to enhance the exploitation of BID 14477 (Linux Kernel XFRM Array Index Buffer Overflow Vulnerability); that issue requires the ability to add IPSec policies.
Solution:
Please see the referenced advisory for further information:
- Ubuntu Linux has released security advisory USN-169-1 addressing this and other issues.
- This issue has been addressed in Linux kernel 2.6.13-rc7.
- SUSE has released advisory SUSE-SA:2005:050, along with fixes to address various issues in the Linux kernel.
- Red Hat Linux has released advisory RHSA-2005:663-19 to address this and other issues in Red Hat Enterprise Linux 3 operating systems.
- Red Hat has released security advisory RHSA-2005:514-44 addressing this issue for their Desktop and Enterprise editions.
- Mandriva has released advisory MDKSA-2005:218 to address various issues affecting the Linux Kernel.
- Mandriva has released advisory MDKSA-2005:219 to address various issues affecting the Linux Kernel in Mandrake Linux 10.1.
- Conectiva Linux has released security advisory CLSA-2006:1059 addressing this and other issues.
References:
- [IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN. (Herbert Xu )
- kernel.org Homepage. (Linux Kernel)
- Linux v2.6.13-rc7 (kernel.org)
- RHSA-2005:514-44 - Updated kernel packages available for Red Hat Enterprise Linu (RedHat)
- RHSA-2005:663-19 - Updated kernel packages available for Red Hat Enterprise Linu (RedHat)
