It was found that the packet_set_ring() function of the Linux kernel's networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow resulting in a system crash or a privilege escalation. References: http://seclists.org/oss-sec/2017/q1/697 https://nvd.nist.gov/vuln/detail/CVE-2017-7308 http://seclists.org/oss-sec/2017/q2/5 https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html Upstream patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2b6867c2ce76c596676bec7d2d525af525fdc6e2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bcc5364bdcfe131e6379363f089e7b4108d35b70
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1437406]
Statement: This issue does not affect Red Hat Enterprise Linux 5. In a default or common use of Red Hat Enterprise Linux 6 and 7 this issue does not allow an unprivileged local user elevate their privileges on the system. In order to exploit this issue the attacker needs CAP_NET_RAW capability, which needs to be granted by the administrator to the attacker's account. Since Red Hat Enterprise Linux 6 does not have namespaces support and Red Hat Enterprise Linux 7 does not have unprivileged user namespaces enabled by default, local unprivileged users also cannot abuse namespaces feature to grant this capability to themselves and elevate their privileges. So, this issue does not affect Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG 2 in the default configuration. Future updates for the respective releases will address this issue to secure non-default configurations. In the non-default configuration mentioned above only Red Hat Enterprise Linux 7 is vulnerable to a privilege escalation. Red Hat Enterprise Linux 6 is vulnerable only to a denial of service (DoS) due to a system crash, hence the impact on Red Hat Enterprise Linux 6 is rated as being Moderate.
External References: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2017:1297 https://access.redhat.com/errata/RHSA-2017:1297
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:1298 https://access.redhat.com/errata/RHSA-2017:1298
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:1308 https://access.redhat.com/errata/RHSA-2017:1308
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:1854 https://access.redhat.com/errata/RHSA-2018:1854