OSVDB ID: 22418

Title: Linux Kernel dm-crypt crypt_config Structure Cryptographic Key Local Disclosure

Info

Disclosure

Jan 04, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

The Linux kernel contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered because 'dm-crypt' does not zero out the 'struct crypt_config' structure before it is freed, potentially leaking cryptographic key information, resulting in a loss of confidentiality.

Classification

Location: Local Access Required
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Unknown
Disclosure: OSVDB Verified, Vendor Verified

Solution

Upgrade to version 2.6.16-rc1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Linux	Kernel	2.6.14.4
		2.6.15

References

Security Tracker: 1015740
Bugtraq ID: 16301
Secunia Advisory ID: 18487 18527 18774 19160 19374 20398
CVE ID: 2006-0095 (see also: NVD)
ISS X-Force ID: 24189
Mail List Post: http://marc.theaimsgroup.com/?l=linux-kernel&m=113640535312572&w=2
http://marc.theaimsgroup.com/?l=linux-kernel&m=113641114812886&w=2
Vendor Specific Advisory URL: http://www.debian.org/security/2006/dsa-1017
http://www.novell.com/linux/security/advisories/2006-05-31.html
http://www.ubuntulinux.org/usn/usn-244-1
Vendor Specific News/Changelog Entry: http://www.kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.15-git12.log
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.16-rc1
RedHat RHSA: RHSA-2006:0132

Credit

Stefan Rompf - stefanloplof.de -

Direct URL: http://osvdb.org/22418