A flaw was found in the Linux kernel present since v4.0-rc1 and through v4.13-rc4. A crafted network packet sent remotely by an attacker may force the kernel to enter an infinite loop in the cipso_v4_optptr() function in net/ipv4/cipso_ipv4.c leading to a denial-of-service. A certain non-default configuration of LSM (Linux Security Module) and NetLabel should be set up on a system before an attacker could leverage this flaw.
None of the Red Hat's products are vulnerable to this flaw.
I'd like to point out that this attack is very difficult to execute over the WAN since packets with IPv4 options are often dropped by routers.
We note that data seems to indicate that there is a current
widespread practice of blocking IPv4 optioned packets.
I was unable to deliver an innocuous IP packet with IP options to both my Digital Ocean and AWS virtual private servers.
Also, *why* is Red Hat not bulnerable?
(In reply to hayg from comment #4)
> I'd like to point out that this attack is very difficult to execute over the
> WAN since packets with IPv4 options are often dropped by routers.
Thank you for pointing this out. Let me add, though, that nevertheless the flaw still exists and can be exploited in other environments.
> Also, *why* is Red Hat not bulnerable?
This is so as the code with the flaw is not present in the Red Hat's products: https://access.redhat.com/labs/psb/
Thank you Vladis. I am rather upset by the reporting around this flaw. As far as I can tell this only affects SELinux enabled kernels which have a CIPSO rule added. Can you confirm whether that's the case? It is a huge deal that this is only an issue in the non-default configuration, and a rather niche one at that. I can tell you that I've already wasted 10s of hours on this because of the lack of detail which made it seem sensational.
(In reply to hayg from comment #8)
Thank you for the update.
> this only affects SELinux enabled kernels which have a
> CIPSO rule added. Can you confirm whether that's the case?
it is not only selinux but also SMACK.
could you, please, share the results of your research?
(In reply to Vladis Dronov from comment #9)
Thank you for confirming. This puts me at ease.
> could you, please, share the results of your research?
Pretty much what you just stated, that it affects only selinux and SMACK and only if you have a CIPSO rule enabled. This shrinks the affected audience to a much much smaller number of machines. Adding to this the fact that these packets will only be routed over the LAN (if that) and not the WAN, this does not even affect my org.
(In reply to hayg from comment #10)
> it affects only selinux and SMACK and only if you have a CIPSO rule enabled.
I've updated the flaw's description to make it clear, thank you.
Awesome, thanks Vladis! I hope this saves some folks time.