Bug 1349722 (CVE-2016-4997) - CVE-2016-4997 kernel: compat IPT_SO_SET_REPLACE setsockopt
Summary: CVE-2016-4997 kernel: compat IPT_SO_SET_REPLACE setsockopt
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-4997
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: IP6T_SO_SET_REPLACE (view as bug list)
Depends On: 1318693 1318694 1318695 1350769 1351030 1351031 1351032 1351033 1351034 1351035 1351036 1351037 1364809 1364810
Blocks: 1349713
TreeView+ depends on / blocked
 
Reported: 2016-06-24 05:39 UTC by Wade Mealing
Modified: 2021-02-17 03:39 UTC (History)
36 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:55:48 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1847 0 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2016-09-15 11:38:04 UTC
Red Hat Product Errata RHSA-2016:1875 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2016-09-15 11:39:21 UTC
Red Hat Product Errata RHSA-2016:1883 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2016-09-15 03:41:02 UTC

Description Wade Mealing 2016-06-24 05:39:32 UTC 
A flaw was discovered in processing setsockopt for 32 bit processes on
64 bit systems.  This flaw will allow attackers to alter arbitary kernel
memory when unloading a kernel module.  This action is usually restricted
to root-priveledged users but can also be leveraged if the kernel is
compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated priveledges.

This flaw was introduced in commit 52e804c6dfaa,


Upstream fixes

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d04
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb088
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bdf533de6968

Discussion on oss-sec:
http://www.openwall.com/lists/oss-security/2016/06/24/5
Comment 6 Andrej Nemec 2016-06-27 06:37:40 UTC 
Public via:

http://seclists.org/oss-sec/2016/q2/599
Comment 8 Wade Mealing 2016-06-28 08:27:32 UTC 
Statement:

This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux  7, MRG-2 and realtime and will be addressed in a future update.
Comment 11 Adam Mariš 2016-06-28 11:02:24 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1350769]
Comment 18 Fedora Update System 2016-06-30 21:24:53 UTC 
kernel-4.6.3-300.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2016-07-19 07:19:46 UTC 
kernel-4.4.14-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 20 errata-xmlrpc 2016-09-14 23:43:39 UTC 
This issue has been addressed in the following products:

  MRG for RHEL-6 v.2

Via RHSA-2016:1883 https://rhn.redhat.com/errata/RHSA-2016-1883.html
Comment 21 errata-xmlrpc 2016-09-15 08:02:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1847 https://rhn.redhat.com/errata/RHSA-2016-1847.html
Comment 22 errata-xmlrpc 2016-09-15 08:11:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1875 https://rhn.redhat.com/errata/RHSA-2016-1875.html
Comment 23 Charlie Brady 2016-09-29 16:04:38 UTC 
Is the fix for RHEL6 still in the pipeline?  Am I right in understanding that network namespaces need to be enabled before the vulnerability is exploitable?
Comment 24 Petr Matousek 2016-10-10 11:01:51 UTC 
*** Bug 1383265 has been marked as a duplicate of this bug. ***
Comment 25 Wade Mealing 2016-10-13 07:30:16 UTC 
The fix for EL6 is not in the pipeline, it was my misunderstanding of the code that marked it vulnerable and I have corrected that understanding in the statement. Sorry for any confusion Charlie Brady.
Note You need to log in before you can comment on or make changes to this bug.