SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#981134

Linux kernel USB drivers do not initialize kernel memory properly

Overview

Various Linux USB drivers contain an information disclosure vulnerability that may expose sensitive segments of kernel memory to users.

I. Description

USB drivers for several versions the Linux kernel do not properly initialize kernel memory before using it. When an affected USB driver copies uninitialized memory from kernel space to user space (with the copy_to_user function), the previous kernel memory contents will be copied as well. In some cases, this will grant a user inappropriate access to sensitive segments of kernel memory.

II. Impact

Users may be able to view sensitive segments of kernel memory.

III. Solution

Check with Vendor

Users who suspect they are vulnerable are encouraged to check with their vendor to determine the appropriate action to take.

Upgrade to Unaffected Build of the Linux Kernel

Users are encouraged to upgrade to an unaffected build of the Linux kernel.

Systems Affected

VendorStatusDate NotifiedDate Updated
ConnectivaUnknown22-Oct-2004
DebianUnknown22-Oct-2004
EngardeUnknown22-Oct-2004
Gentoo LinuxVulnerable30-Aug-2004
Hewlett-Packard CompanyUnknown22-Oct-2004
IBM-zSeriesUnknown22-Oct-2004
IBM eServerUnknown22-Oct-2004
ImmunixUnknown22-Oct-2004
Ingrian NetworksNot Vulnerable22-Oct-2004
MandrakeSoftUnknown22-Oct-2004
MontaVista SoftwareUnknown22-Oct-2004
NovellUnknown22-Oct-2004
Openwall GNU/*/LinuxUnknown25-Oct-2004
Red Hat Inc.Unknown22-Oct-2004
SCOUnknown22-Oct-2004
SequentUnknown22-Oct-2004
Sun Microsystems Inc.Unknown22-Oct-2004
SuSE Inc.Vulnerable25-Oct-2004
TurboLinuxUnknown22-Oct-2004

References


http://www.gentoo.org/security/en/glsa/glsa-200408-24.xml
http://securityfocus.com/advisories/7104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0685
http://www.osvdb.org/displayvuln.php?osvdb_id=9273
http://www.securitytracker.com/alerts/2004/Aug/1011078.html

Credit

This vulnerability was reported by Tim Yamin.

This document was written by Jeff Gennari.

Other Information

Date Public:2004-08-25
Date First Published:2004-10-22
Date Last Updated:2004-10-25
CERT Advisory: 
CVE-ID(s):CAN-2004-0685
NVD-ID(s):CAN-2004-0685
US-CERT Technical Alerts: 
Metric:0.48
Document Revision:151

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader