Bug 1327484 (CVE-2016-3707)

Summary: CVE-2016-3707 kernel-rt: Sending SysRq command via ICMP echo request
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, anemec, aquini, bhu, dhoward, esammons, fhrbata, iboverma, jkacur, joelsmith, jross, kernel-mgr, kstutsma, lgoncalv, lwang, matt, mcressma, mguzik, nmurray, pholasek, plougher, rvrbovsk, security-response-team, vdronov, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the realtime kernel processed specially crafted ICMP echo requests. A remote attacker could use this flaw to trigger a sysrql function based on values in the ICMP packet, allowing them to remotely restart the system. Note that this feature is not enabled by default and requires elevated privileges to be configured.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-24 11:02:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1331240, 1331241, 1331242    
Bug Blocks: 1327486    

Description Adam Mariš 2016-04-15 08:35:13 UTC 
A flaw was found in the kernel-rt in which an attacker could submit a specially crafted ICMP echo request which can trigger a sysrq function based on values in the ICMP packet.

This feature was introduced in the kernel-rt only and is not shipping with standard Red Hat Enterprise Linux kernels.

Remote attacker could exploit this feature using bruteforce to submit arbitrary SysRq commands.

Resources:
https://www.kernel.org/pub/linux/kernel/projects/rt/4.4/patch-4.4.7-rt16.patch.gz

Upstream discussion:
https://lwn.net/Articles/448790/

CVE request:
http://seclists.org/oss-sec/2016/q2/349
Comment 3 Wade Mealing 2016-04-29 13:16:30 UTC 
Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5, 6 and 7.

This issue affects the Linux kernel-rt packages as shipped with Red Hat Enterprise Linux 7 and MRG-2  and may be addressed in a future update.
Comment 6 errata-xmlrpc 2016-06-23 16:30:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1301 https://access.redhat.com/errata/RHSA-2016:1301
Comment 7 errata-xmlrpc 2016-06-27 10:03:53 UTC 
This issue has been addressed in the following products:

  MRG for RHEL-6 v.2

Via RHSA-2016:1341 https://access.redhat.com/errata/RHSA-2016:1341