Bug 1865751 (CVE-2020-16166)

Summary: CVE-2020-16166 kernel: information exposure in drivers/char/random.c and kernel/time/timer.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, khorenko, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, ptalbert, qzhao, rkeshri, rrakesh2, rt-maint, rvrbovsk, sgrubb, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. The generation of the device ID from the network RNG internal state is predictable. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-19 20:21:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1865752, 1867567, 1867568, 1867569, 1867570, 1867571, 1872007, 1872008, 1872009, 1872010, 1872011, 1872012, 1872013, 1888230, 1888231, 1888232, 1888233, 1888234, 1888235, 1888236    
Bug Blocks: 1865753    

Description Dhananjay Arunesh 2020-08-04 04:23:16 UTC 
A flaw was found in the way the Linux kernel derived the network RNG's internal state making the device ID predictable. Adding net_rand_state (randomness) on interrupt and CPU activity makes speculation complicated by a remote observer.

This modifies the first 32 bits out of the 128 bits of a random CPU's net_rand_state on interrupt or CPU activity to complicate remote observations that could lead to guessing the network RNG's internal state.

In addition, with NOHZ some CPUs might not even get timer interrupts, leaving their local state rarely updated, while they are running networked processes making use of the random state.  For this reason, we also perform this update in update_process_times() in order to at least update the state when there is user or system activity, since it's the only case we care about.

References:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f227e3ec3b5cad859ad15666874405e8c1bbc1d4
https://github.com/torvalds/linux/commit/f227e3ec3b5cad859ad15666874405e8c1bbc1d4
Comment 1 Dhananjay Arunesh 2020-08-04 04:25:11 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1865752]
Comment 6 Rohit Keshri 2020-08-10 11:49:47 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 8 Fedora Update System 2020-08-11 14:11:24 UTC 
FEDORA-2020-8d634e31c0 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 18 errata-xmlrpc 2020-10-19 16:57:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4279 https://access.redhat.com/errata/RHSA-2020:4279
Comment 19 Product Security DevOps Team 2020-10-19 20:21:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-16166
Comment 20 errata-xmlrpc 2020-12-15 08:33:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2020:5428 https://access.redhat.com/errata/RHSA-2020:5428
Comment 21 errata-xmlrpc 2020-12-15 08:57:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2020:5418 https://access.redhat.com/errata/RHSA-2020:5418
Comment 22 errata-xmlrpc 2020-12-15 16:23:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:5506 https://access.redhat.com/errata/RHSA-2020:5506
Comment 23 errata-xmlrpc 2020-12-15 16:38:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:5473 https://access.redhat.com/errata/RHSA-2020:5473
Comment 24 errata-xmlrpc 2021-01-19 10:53:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0184 https://access.redhat.com/errata/RHSA-2021:0184