Bug 1868211 (CVE-2019-20795)
| Summary: | CVE-2019-20795 iproute: use-after-free in get_netnsid_from_name in ip/ipnetns.c | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | aclaudi, atragler, cmoore, code, jiji, kaycoth, mshi, psutter, rvokal |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | iproute2 5.1.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A use-after-free flaw was found in iproute in the network namespace management component of the ip command-line utility. This flaw allows a local attacker to crash the program while displaying network namespaces. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-28 11:00:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1868213, 1868349, 1875760 | ||
| Bug Blocks: | 1868212 | ||
|
Description
Dhananjay Arunesh
2020-08-12 02:50:42 UTC
Created iproute tracking bugs for this issue: Affects: fedora-all [bug 1868213] From upstream commit: """ In get_netnsid_from_name func, answer is freed before rta_getattr_u32(tb[NETNSA_NSID]), where tb[] refers to answer`s content. If we set MALLOC_MMAP_THRESHOLD_=0, mmap will be adoped to malloc memory, which will be freed immediately after calling free func. So reading tb[NETNSA_NSID] will access the released memory after free(answer). """ Note that for security reasons the environment variable "MALLOC_MMAP_THRESHOLD_" is ignored in set-user-ID and set-group-ID programs [1]. This is not relevant in this case though, as the attacker would need to have root privileges anyways to be able to create a network namespace in the first place. [1] https://man7.org/linux/man-pages/man3/mallopt.3.html It is unclear to me how this could be exploited to attack other users, it seems like a self-attack. This bug is more of a reliability issue since MALLOC_MMAP_THRESHOLD_ must be set to 0 and the user must trigger a crash locally by displaying the network namespaces. Under normal circumstances (i.e., MALLOC_MMAP_THRESHOLD_ unset) the security impact is minimal: the network namespace id (uint32) is "disclosed" from the free()d memory chunk through the result of get_netnsid_from_name(). Note that after calling free() the nsid is immediately accessed and returned to the parent function netns_map_init(). The pointer to the heap chunk is a local variable which is automatically released when the function ends, so it seems unlikely the use-after-free could be exploited in any meaningful way. --- struct nlmsghdr *answer; struct rtattr *tb[NETNSA_MAX + 1]; <snip> free(answer); return rta_getattr_u32(tb[NETNSA_NSID]); // tb[NETNSA_NSID] points to nsid in answer's content Statement: This issue affects the versions of `iproute` as shipped with Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 8 is not affected by this flaw. This flaw has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. Red Hat Enterprise Linux 5 is now in Extended Life Phase of the support and maintenance life cycle. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. |