Bug 1007872 (CVE-2013-4350)

Summary: CVE-2013-4350 kernel: net: sctp: ipv6 ipsec encryption bug in sctp_v6_xmit
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, aquini, bhu, davej, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, jkurik, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, marcelo.barbosa, matt, mcressma, nobody, ohadlevy, plougher, ppandit, rt-maint, rvrbovsk, williams, yhuang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-18 12:47:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 998398, 1007880, 1007881, 1007882, 1007883, 1007903, 1009672, 1009673    
Bug Blocks: 1007886    

Description Petr Matousek 2013-09-13 13:31:24 UTC 
Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not
being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport
does not seem to have the desired effect:

SCTP + IPv4:

 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116)
     192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72
 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340)
     192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1):

SCTP + IPv6:

 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364)
     fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp
     1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10]

References:
https://bugzilla.kernel.org/show_bug.cgi?id=24412

Upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=95ee62083cb6453e056562d91f597552021e6ae7
Comment 2 Petr Matousek 2013-09-13 14:19:06 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1007903]
Comment 4 Fedora Update System 2013-09-19 02:04:29 UTC 
kernel-3.11.1-200.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-09-23 00:00:53 UTC 
kernel-3.10.12-100.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-09-23 00:36:09 UTC 
kernel-3.11.1-300.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 errata-xmlrpc 2013-10-31 16:29:59 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:1490 https://rhn.redhat.com/errata/RHSA-2013-1490.html
Comment 9 Petr Matousek 2014-02-11 11:40:02 UTC 
Statement:

The risks associated with fixing this bug in Red Hat Enterprise Linux 5 and 6 are greater than its security impact. This issue is not currently planned to be addressed in future kernel updates for Red Hat Enterprise Linux 5 and 6.