Bug 1119458 (CVE-2014-4943) - CVE-2014-4943 kernel: net: pppol2tp: level handling in pppol2tp_[s,g]etsockopt()
Summary: CVE-2014-4943 kernel: net: pppol2tp: level handling in pppol2tp_[s,g]etsockopt()
Status: CLOSED ERRATA
Alias: CVE-2014-4943
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: xiaoli feng
URL:
Whiteboard: impact=important,public=20140716,repo...
Keywords: Security
Depends On: 1119461 1119462 1119463 1119464 1119465 1119466 1120542 1120844
Blocks: 1115839 1119480
TreeView+ depends on / blocked
 
Reported: 2014-07-14 20:10 UTC by Petr Matousek
Modified: 2018-02-12 19:26 UTC (History)
21 users (show)

(edit)
A flaw was found in the way the pppol2tp_setsockopt() and pppol2tp_getsockopt() functions in the Linux kernel's PPP over L2TP implementation handled requests with a non-SOL_PPPOL2TP socket option level. A local, unprivileged user could use this flaw to escalate their privileges on the system.
Clone Of:
(edit)
Last Closed: 2014-07-23 17:43:45 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0923 normal SHIPPED_LIVE Important: kernel security update 2014-07-23 19:44:06 UTC
Red Hat Knowledge Base (Article) 1131853 None None None Never
Red Hat Product Errata RHSA-2014:0924 normal SHIPPED_LIVE Important: kernel security update 2014-07-23 20:04:44 UTC
Red Hat Product Errata RHSA-2014:0925 normal SHIPPED_LIVE Important: kernel security update 2014-07-23 20:04:36 UTC
Red Hat Product Errata RHSA-2014:1025 normal SHIPPED_LIVE Important: kernel security and bug fix update 2014-08-06 19:49:33 UTC

Description Petr Matousek 2014-07-14 20:10:19 UTC
A flaw was found in the way pppol2tp_setsockopt() and pppol2tp_getsockopt()
functions in the Linux kernel's PPP over L2TP implementation handled
non-SOL_PPPOL2TP level.

A local, unprivileged user could use this flaw to escalate their privileges on
the system.

Acknowledgements:

Red Hat would like to thank Sasha Levin for reporting this issue.

Comment 2 Petr Matousek 2014-07-14 20:14:52 UTC
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat
Enterprise Linux 5 and Red Hat Enterprise MRG 2.

Please note that on Red Hat Enterprise Linux 6 pppol2tp module is not
automatically loaded when AF_PPPOX/PX_PROTO_OL2TP socket is created as
Red Hat Enterprise Linux 6 lacks upstream commit 9395a09d05a23bb and default
modprobe configuration as shipped with module-init-tools package does not
contain the alias for pppol2tp protocol either. As a result, pppol2tp module
has to be explicitly enabled and/or loaded by the system administrator.

Comment 3 Petr Matousek 2014-07-14 20:16:11 UTC
Mitigation:

For Red Hat Enterprise Linux 6 do --

]# echo "install pppol2tp /bin/true" > /etc/modprobe.d/pppol2tp.conf

For Red Hat Enterprise Linux 7 do --

]# echo "install l2tp_ppp /bin/true" > /etc/modprobe.d/l2t_pppp.conf

Or, alternatively, when pppol2tp/l2tp_ppp module can't be blacklisted and needs
to be loaded, you can use the following systemtap script --

1) On the host, save the following in a file with the ".stp" extension --

probe module("*l2tp*").function("pppol2tp_*etsockopt").call {
        $level = 273;
}

2) Install the "systemtap" package and any required dependencies. Refer to
the "2. Using SystemTap" chapter in the Red Hat Enterprise Linux 6
"SystemTap Beginners Guide" document, available from docs.redhat.com, for
information on installing the required -debuginfo packages.

3) Run the "stap -g [filename-from-step-1].stp" command as root.

If the host is rebooted, the changes will be lost and the script must be
run again.

Alternatively, build the systemtap script on a development system with
"stap -g -p 4 [filename-from-step-1].stp", distribute the resulting kernel
module to all affected systems, and run "staprun -L <module>" on those.
When using this approach only systemtap-runtime package is required on the
affected systems. Please notice that the kernel version must be the same across
all systems.

Comment 6 Murray McAllister 2014-07-17 06:43:57 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1120542]

Comment 8 Fedora Update System 2014-07-20 03:26:00 UTC
kernel-3.15.6-200.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 errata-xmlrpc 2014-07-23 15:44:37 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0923 https://rhn.redhat.com/errata/RHSA-2014-0923.html

Comment 12 errata-xmlrpc 2014-07-23 16:06:08 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only

Via RHSA-2014:0925 https://rhn.redhat.com/errata/RHSA-2014-0925.html

Comment 13 errata-xmlrpc 2014-07-23 16:06:29 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0924 https://rhn.redhat.com/errata/RHSA-2014-0924.html

Comment 14 Martin Prpič 2014-07-24 12:24:30 UTC
IssueDescription:

A flaw was found in the way the pppol2tp_setsockopt() and pppol2tp_getsockopt() functions in the Linux kernel's PPP over L2TP implementation handled requests with a non-SOL_PPPOL2TP socket option level. A local, unprivileged user could use this flaw to escalate their privileges on the system.

Comment 15 Fedora Update System 2014-07-25 10:08:17 UTC
kernel-3.14.13-100.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 errata-xmlrpc 2014-08-06 15:49:45 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.2 AUS

Via RHSA-2014:1025 https://rhn.redhat.com/errata/RHSA-2014-1025.html


Note You need to log in before you can comment on or make changes to this bug.