Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2010-2524

Published: 8 September 2010

The DNS resolution functionality in the CIFS implementation in the Linux kernel before 2.6.35, when CONFIG_CIFS_DFS_UPCALL is enabled, relies on a user's keyring for the dns_resolver upcall in the cifs.upcall userspace helper, which allows local users to spoof the results of DNS queries and perform arbitrary CIFS mounts via vectors involving an add_key call, related to a "cache stuffing" issue and MS-DFS referrals.

From the Ubuntu Security Team

David Howells discovered that DNS resolution in CIFS could be spoofed. A local attacker could exploit this to control DNS replies, leading to a loss of privacy and possible privilege escalation.

Notes

AuthorNote
sbeattie
according to oss-security discussion, git commit 6103335de8afa5d780dcd512abe85c696af7b040
introduced the problem, so 2.6.25-rc1 onwards.
smb
Jaunty *may* be affected, but the problem is that there is no infra-
structure for thread credentials, so even if it is possible to back-
port the whole thing it would be completely different and prone to
be incorrect. That together with the fact that Jaunty is EOL more or
less I don't think we should put in much effort there.

Priority

Medium

Cvss 3 Severity Score

7.8

Score breakdown

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Not vulnerable
(2.6.24)
jaunty Ignored

karmic
Released (2.6.31-22.67)
lucid
Released (2.6.32-25.43)
maverick Not vulnerable
(2.6.35)
upstream
Released (2.6.35)
Patches:
upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=4c0c03ca54f72fdd5912516ad0a23ec5cf01bda7
karmic: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-2524/patches/karmic/linux/0001-CIFS-Fix-a-malicious-redirect-problem-in-the-DNS-looku.txt
linux-ec2
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

karmic
Released (2.6.31-307.21)
lucid
Released (2.6.32-309.18)
maverick Ignored
(end of life)
upstream Needs triage

linux-fsl-imx51
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

karmic
Released (2.6.31-112.30)
lucid
Released (2.6.31-608.22)
maverick Does not exist

upstream Needs triage

linux-lts-backport-maverick
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

karmic Does not exist

lucid
Released (2.6.35-25.44~lucid1)
maverick Does not exist

upstream Needs triage

linux-source-2.6.15
Launchpad, Ubuntu, Debian
dapper Not vulnerable
(before 2.6.25-rc1)
hardy Does not exist

jaunty Does not exist

karmic Does not exist

lucid Does not exist

maverick Does not exist

upstream Needs triage

Severity score breakdown

Parameter Value
Base score 7.8
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H