Bug 1517220 (CVE-2017-16939)

Summary: CVE-2017-16939 Kernel: ipsec: xfrm: use-after-free leading to potential privilege escalation
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, ajax, anderson, aquini, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, dwd, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, mmilgram, nmurray, plougher, ppandit, ptalbert, rvrbovsk, slawomir, steved, walters, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The Linux kernel is vulerable to a use-after-free flaw when Transformation User configuration interface(CONFIG_XFRM_USER) compile-time configuration were enabled. This vulnerability occurs while closing a xfrm netlink socket in xfrm_dump_policy_done. A user/process could abuse this flaw to potentially escalate their privileges on a system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:32:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1517221, 1517284, 1517287, 1517288, 1517289, 1517290, 1517291, 1517292, 1517293, 1555182, 1695831    
Bug Blocks: 1517157    

Description Prasad Pandit 2017-11-24 10:51:02 UTC 
Linux kernel built with the Transformation User configuration
interface(CONFIG_XFRM_USER) is vulnerable to a use-after-free
issue. It could occur while closing a xfrm netlink socket,
in xfrm_dump_policy_done.

A user/process could use this flaw to potentially escalate their
privileges on a system.

Upstream patch:
---------------
  -> https://git.kernel.org/linus/1137b5e2529a8f5ca8ee709288ecba3e68044df2

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/11/24/3
  -> https://blogs.securiteam.com/index.php/archives/3535
Comment 1 Prasad Pandit 2017-11-24 10:52:20 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1517221]
Comment 2 Prasad Pandit 2017-11-24 13:48:41 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1517284]
Comment 7 Eric Christensen 2017-12-04 15:19:21 UTC 
Statement:

This issue does not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.

This issue affects the version of the kernel package as shipped with Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2 may address this issue.
Comment 12 errata-xmlrpc 2018-05-08 18:25:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1318 https://access.redhat.com/errata/RHSA-2018:1318
Comment 13 errata-xmlrpc 2018-05-08 22:24:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1355 https://access.redhat.com/errata/RHSA-2018:1355
Comment 15 errata-xmlrpc 2019-05-14 19:08:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1170 https://access.redhat.com/errata/RHSA-2019:1170
Comment 16 errata-xmlrpc 2019-05-14 20:26:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:1190 https://access.redhat.com/errata/RHSA-2019:1190