Bug 640036 (CVE-2010-3705)

Summary: CVE-2010-3705 kernel: sctp memory corruption in HMAC handling
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: arozansk, bhu, davej, esammons, eteo, fhrbata, jkacur, jpirko, kmcmartin, kzhang, lgoncalv, liko, lwang, mjc, nixon, rcvalle, tcallawa, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 08:46:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 640459, 640460, 640461, 640462    
Bug Blocks:    

Description Petr Matousek 2010-10-04 15:35:57 UTC 
Description of problem:

When parsing a peer's supported HMAC authentication options in the sctp_auth_asoc_get_hmac() function, a malicious peer can craft their HMAC array in such a way as to cause memory corruption (out-of-bounds read followed by use of retrieved out-of-bounds data), which at the very least could cause a denial of service via kernel panic, and possibly worse.  It appears this could be  triggered remotely when connecting to a malicious peer, or locally by a user acting as both endpoints.  In both cases, the "auth_enable" sysctl must be set in order to trigger the bug.

References:
http://marc.info/?l=oss-security&m=128619854321910&w=1
http://marc.info/?l=linux-kernel&m=128596992418814&w=2
Comment 2 Petr Matousek 2010-10-05 17:28:19 UTC 
Statement:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-3705.

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3 as it did not include support for SCTP. It did not affect Red Hat Enterprise Linux 4 and 5 as it did not include upstream commit 1f485649 that introduced the problem. Future kernel updates in Red Hat Enterprise MRG may address this flaw.
Comment 4 Jiri Pirko 2010-10-06 08:10:18 UTC 
http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=51e97a12bef19b7e43199fc153cf9bd5f2140362
Comment 5 Eugene Teo (Security Response) 2010-11-08 06:45:44 UTC 
Acknowledgements:

Red Hat would like to thank Dan Rosenberg for reporting this issue.
Comment 6 errata-xmlrpc 2010-11-10 19:09:10 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html
Comment 7 errata-xmlrpc 2010-11-22 19:35:15 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html
Comment 8 errata-xmlrpc 2010-12-08 19:09:20 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2010:0958 https://rhn.redhat.com/errata/RHSA-2010-0958.html