Bug 454566

Summary: kernel: randomize udp port allocation
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dhoward, lwang, mjc, nobody, rkhan, skakar, vgoyal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-02 17:43:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 454567, 454568, 454569, 454570, 454571, 454572, 454961, 458325    
Bug Blocks: 449345    
Attachments:
Description Flags
Proposed backported patch for RHEL-4.8
none
Proposed backported patch for RHEL-5.3
none
Proposed backported patch for RHEL-2.1
none
Proposed backported patch for RHEL-3.9 none

Description Eugene Teo (Security Response) 2008-07-09 02:03:49 UTC 
The Linux kernel 2.6.24 implements random source ports for UDP (where none is
specified by the application). However, we do not ship a kernel that implements
UDP port randomization in Red Hat Enterprise Linux 2.1, 3, 4, or 5.

This bug is created to make sure that we backport a kernel patch that would
cause UDP port allocation to be randomized like TCP.
Comment 1 Eugene Teo (Security Response) 2008-07-09 02:05:21 UTC 
Proposed upstream patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=32c1da70810017a98aa6c431a5494a302b6b9a30
Comment 4 Eugene Teo (Security Response) 2008-07-09 02:15:08 UTC 
Created attachment 311337 [details]
Upstream patch for this issue
Comment 6 Mark J. Cox 2008-07-09 06:37:10 UTC 
Implementing this would mitigate CVE-2008-1447 as applied to the glibc stub
resolver.
Comment 8 Eugene Teo (Security Response) 2008-07-09 14:27:08 UTC 
Created attachment 311378 [details]
Proposed backported patch for RHEL-4.8
Comment 9 Eugene Teo (Security Response) 2008-07-09 14:28:09 UTC 
Created attachment 311379 [details]
Proposed backported patch for RHEL-5.3
Comment 10 Eugene Teo (Security Response) 2008-07-10 02:28:11 UTC 
Created attachment 311434 [details]
Proposed backported patch for RHEL-2.1
Comment 11 Eugene Teo (Security Response) 2008-07-10 02:29:09 UTC 
Created attachment 311435 [details]
Proposed backported patch for RHEL-3.9
Comment 13 Mark J. Cox 2008-08-04 17:40:23 UTC 
Whilst we're providing updates for Red Hat Enterprise Linux 4 and 5 to backport this functionality we have not labeled them as a security fix because they're only a partial help towards mitigation.  The glibc stub resolver is not a recursive resolver and therefore is not affected directly by the recent DNS exploits (which rely on a caching recursive resolver).  Different attacks against stub resolvers may still be possible, but for the most part an attacker would need to be on a local network and would be likely to be able to perform other attacks more easily.