Bug 1850716 (CVE-2020-14305)

Summary: CVE-2020-14305 kernel: memory corruption in Voice over IP nf_conntrack_h323 module
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, ptalbert, qzhao, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 4.12-rc1 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 22:01:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1845428, 1851897, 1851898, 1851899, 1888690    
Bug Blocks: 1845628    

Description Alex 2020-06-24 19:25:13 UTC 
A flaw memory corruption in the Linux kernel Voice over IP h323-conntrack-nat module was found.
An attacker could use this flaw to corrupt the memory.
For reproducing, need to establish connection to the port 1720 that is being used during call setup negotiation.
For ipv4 no crash (kernel panic), so for detecting corruption need to use ipv6.
The corruption happens for fields of struct nf_ct_ext (usually nf_ct_nat is located after nf_conn_help, but possibly nf_conn_nat and other that located in memory right after nf_conn_help).
In most cases the overlapping bytes were zero (if without debug options), so attacker cannot control directly what is being written to the corrupted memory, but at least one numerical value could be modified with tpktlen (so attacker can change TCP/IP packet payload size to control what is being written to some corrupted Int value).

The patch is: https://patchwork.ozlabs.org/project/netfilter-devel/patch/c2385b5c-309c-cc64-2e10-a0ef62897502@virtuozzo.com/
Comment 4 Alex 2020-06-28 13:36:40 UTC 
External References:

https://bugs.openvz.org/browse/OVZ-7188
https://patchwork.ozlabs.org/project/netfilter-devel/patch/c2385b5c-309c-cc64-2e10-a0ef62897502@virtuozzo.com/
Comment 5 Alex 2020-06-28 15:02:39 UTC 
Acknowledgments:

Name: Vasily Averin (Virtuozzo)
Comment 10 Petr Matousek 2020-07-01 12:14:37 UTC 
Statement:

This issue is rated as having Moderate impact because of being limited to only IPV6 port 1720 being used and if with particular module (nf_conntrack_h323) for Voice Over IP H.323.
Comment 11 Petr Matousek 2020-07-01 12:14:43 UTC 
Mitigation:

A mitigation to this flaw would be to no longer use IPV6 on affected hardware until the kernel has been updated or to disable Voice Over IP H.323 module. Existing systems that have h323-conntrack-nat kernel module loaded will need to unload the "nf_conntrack_h323" kernel module and blacklist it ( See https://access.redhat.com/solutions/41278 for a guide on how to blacklist modules).
Comment 12 errata-xmlrpc 2020-09-29 19:00:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062
Comment 13 errata-xmlrpc 2020-09-29 20:54:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060
Comment 14 Product Security DevOps Team 2020-09-29 22:01:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14305