CVSS2 score of important, 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Note that the CVSS 'access vector' is set to AV:L as this is a vulnerability exploitable with only local access.
Mitigation:
It is possible to mitigate this flaw by blacklisting the affected protocols. Note that this is not an exhaustive list of modules to blacklist, but this should prevent the publicly circulated exploit from working properly as this is the list of protocols (relevant to RHEL) known to be affected.
** Ensure that the module is not already loaded, if not, these mitigation steps will not work.
** We have used the 'install' command to direct the system to run '/bin/true' instead of actually inserting the kernel module if it is called.
** On Red Hat Enterprise Linux 3, add this entry to the end of the /etc/modules.conf file:
install bluez /bin/true
Note that the bluez module is from the kernel-unsupported package. If you do not have this package installed, then you do not have this module.
** On Red Hat Enterprise Linux 4 and 5, add these entries to the end of the
/etc/modprobe.conf file:
install pppox /bin/true
install bluetooth /bin/true
install sctp /bin/true
Note that the sctp module cannot be unloaded in the running kernel if it is already loaded. You will need to make the changes in the /etc/modprobe.conf file and do a reboot.
** On Red Hat Enterprise MRG, add these entries to the end of the
/etc/modprobe.conf file:
CVSS2 score of important, 7.2 (AV:L/AC: L/Au:N/ C:C/I:C/ A:C)
Note that the CVSS 'access vector' is set to AV:L as this is a vulnerability exploitable with only local access.
Mitigation:
It is possible to mitigate this flaw by blacklisting the affected protocols. Note that this is not an exhaustive list of modules to blacklist, but this should prevent the publicly circulated exploit from working properly as this is the list of protocols (relevant to RHEL) known to be affected.
** Ensure that the module is not already loaded, if not, these mitigation steps will not work.
** We have used the 'install' command to direct the system to run '/bin/true' instead of actually inserting the kernel module if it is called.
** On Red Hat Enterprise Linux 3, add this entry to the end of the /etc/modules.conf file:
install bluez /bin/true
Note that the bluez module is from the kernel-unsupported package. If you do not have this package installed, then you do not have this module.
** On Red Hat Enterprise Linux 4 and 5, add these entries to the end of the
/etc/modprobe.conf file:
install pppox /bin/true
install bluetooth /bin/true
install sctp /bin/true
Note that the sctp module cannot be unloaded in the running kernel if it is already loaded. You will need to make the changes in the /etc/modprobe.conf file and do a reboot.
** On Red Hat Enterprise MRG, add these entries to the end of the
/etc/modprobe.conf file:
install pppox /bin/true
install bluetooth /bin/true
install appletalk /bin/true
install ipx /bin/true
install sctp /bin/true
Updated: Aug 17, 2009 20:45 EDT