1327484 – (CVE-2016-3707) CVE-2016-3707 kernel-rt: Sending SysRq command via ICMP echo request

Bug 1327484 (CVE-2016-3707) - CVE-2016-3707 kernel-rt: Sending SysRq command via ICMP echo request

Summary: CVE-2016-3707 kernel-rt: Sending SysRq command via ICMP echo request

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-3707
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1331240 1331241 1331242
Blocks:	1327486
TreeView+	depends on / blocked

Reported:	2016-04-15 08:35 UTC by Adam Mariš
Modified:	2021-02-17 04:02 UTC (History)
CC List:	26 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A flaw was found in the way the realtime kernel processed specially crafted ICMP echo requests. A remote attacker could use this flaw to trigger a sysrql function based on values in the ICMP packet, allowing them to remotely restart the system. Note that this feature is not enabled by default and requires elevated privileges to be configured.
Clone Of:
Environment:
Last Closed:	2016-06-24 11:02:00 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1301	0	normal	SHIPPED_LIVE	Important: kernel-rt security, bug fix, and enhancement update	2016-06-23 20:15:04 UTC
Red Hat Product Errata	RHSA-2016:1341	0	normal	SHIPPED_LIVE	Important: kernel-rt security and bug fix update	2016-06-27 14:02:50 UTC

Description Adam Mariš 2016-04-15 08:35:13 UTC

A flaw was found in the kernel-rt in which an attacker could submit a specially crafted ICMP echo request which can trigger a sysrq function based on values in the ICMP packet.

This feature was introduced in the kernel-rt only and is not shipping with standard Red Hat Enterprise Linux kernels.

Remote attacker could exploit this feature using bruteforce to submit arbitrary SysRq commands.

Resources:
https://www.kernel.org/pub/linux/kernel/projects/rt/4.4/patch-4.4.7-rt16.patch.gz

Upstream discussion:
https://lwn.net/Articles/448790/

CVE request:
http://seclists.org/oss-sec/2016/q2/349

Comment 3 Wade Mealing 2016-04-29 13:16:30 UTC

Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5, 6 and 7.

This issue affects the Linux kernel-rt packages as shipped with Red Hat Enterprise Linux 7 and MRG-2  and may be addressed in a future update.

Comment 6 errata-xmlrpc 2016-06-23 16:30:07 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1301 https://access.redhat.com/errata/RHSA-2016:1301

Comment 7 errata-xmlrpc 2016-06-27 10:03:53 UTC

This issue has been addressed in the following products:

  MRG for RHEL-6 v.2

Via RHSA-2016:1341 https://access.redhat.com/errata/RHSA-2016:1341

Note You need to log in before you can comment on or make changes to this bug.

agordeev
anemec
aquini
bhu
dhoward
esammons
fhrbata
iboverma
jkacur
joelsmith
jross
kernel-mgr
kstutsma
lgoncalv
lwang
matt
mcressma
mguzik
nmurray
pholasek
plougher
rvrbovsk
security-response-team
vdronov
williams
wmealing