CVE-2010-2524

Impact:
Moderate
Public Date:
2010-07-22
IAVA:
2011-A-0066
Bugzilla:
612166: CVE-2010-2524 kernel: dns_resolver upcall security issue

The MITRE CVE dictionary describes this issue as:

The DNS resolution functionality in the CIFS implementation in the Linux kernel before 2.6.35, when CONFIG_CIFS_DFS_UPCALL is enabled, relies on a user's keyring for the dns_resolver upcall in the cifs.upcall userspace helper, which allows local users to spoof the results of DNS queries and perform arbitrary CIFS mounts via vectors involving an add_key call, related to a "cache stuffing" issue and MS-DFS referrals.

Find out more about CVE-2010-2524 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG as they did not include support for the upcall mechanism for the Common Internet File System (CIFS). This issue was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0723.html.

CVSS v2 metrics

Base Score 4.4
Base Metrics AV:L/AC:M/Au:N/C:P/I:P/A:P
Access Vector Local
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 5 (kernel) RHSA-2010:0610 2010-08-10

Mitigation

Last Modified

CVE description copyright © 2017, The MITRE Corporation