Bug 462599 (CVE-2008-4445)

Summary: CVE-2008-4445 kernel: sctp: fix random memory dereference with SCTP_HMAC_IDENT option
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bhu, lgoncalv, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-21 17:39:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 460395    
Bug Blocks:    

Description Eugene Teo (Security Response) 2008-09-17 13:27:05 UTC 
Description of problem:
Eugene Teo reported that the number of HMAC identifiers need to be checked against the option length. Also, the identifier index provided needs to be verified to make sure that it does not exceed the bounds of the array. However, this does not have a security consequence as it is saved by a couple of conditions in the sctp_auth_ep_set_hmacs routine.

Reference:
8.1.19.  Get or set the list of supported HMAC Identifiers (SCTP_HMAC_IDENT)
http://ietfreport.isoc.org/idref/draft-ietf-tsvwg-sctpsocket/

Proposed upstream patch:
http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=d97240552cd98c4b07322f30f66fd9c3ba4171de

It depends on bug #459956.
Comment 2 Eugene Teo (Security Response) 2008-09-17 13:35:14 UTC 
(In reply to comment #0)
[...]
> Proposed upstream patch:
> http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=d97240552cd98c4b07322f30f66fd9c3ba4171de

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d97240552cd98c4b07322f30f66fd9c3ba4171de
Comment 3 Eugene Teo (Security Response) 2008-09-17 14:14:44 UTC 
(In reply to comment #0)
> Description of problem:
> Eugene Teo reported that the number of HMAC identifiers need to be checked
> against the option length. Also, the identifier index provided needs to be
> verified to make sure that it does not exceed the bounds of the array. However,
> this does not have a security consequence as it is saved by a couple of
> conditions in the sctp_auth_ep_set_hmacs routine.

Not really. This could result in a possible information disclosure via sctp_getsockopt_hmac_ident().
Comment 7 Vincent Danen 2010-12-21 17:39:56 UTC 
This was addressed via:

MRG Realtime for RHEL 5 Server (RHSA-2008:0857)