Bug 1626035 (CVE-2018-14633) - CVE-2018-14633 kernel: stack-based buffer overflow in chap_server_compute_md5() in iscsi target
Summary: CVE-2018-14633 kernel: stack-based buffer overflow in chap_server_compute_md5...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-14633
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1627034 1627035 1627037 1627038 1632184 1632185 1634711 1640716 1695812 1695813
Blocks: 1619500
TreeView+ depends on / blocked
 
Reported: 2018-09-06 12:46 UTC by Vladis Dronov
Modified: 2022-07-21 02:53 UTC (History)
45 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the ISCSI target code in the Linux kernel. The flaw allows an unauthenticated, remote attacker to cause a stack buffer overflow of 17 bytes of the stack. Depending on how the kernel was compiled (e.g. compiler, compile flags, and hardware architecture), the attack may lead to a system crash or access to data exported by an iSCSI target. Privilege escalation cannot be ruled out. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:37:33 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3651 0 None None None 2018-11-27 01:20:21 UTC
Red Hat Product Errata RHSA-2018:3666 0 None None None 2018-11-27 01:20:50 UTC
Red Hat Product Errata RHSA-2019:1946 0 None None None 2019-07-30 09:09:04 UTC

Description Vladis Dronov 2018-09-06 12:46:18 UTC 
A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. An attack requires the ISCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an ISCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely.

References:

https://seclists.org/oss-sec/2018/q3/270

Upstream patches:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1816494330a8

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c39e2699f8a
Comment 1 Vladis Dronov 2018-09-06 12:46:20 UTC 
Acknowledgments:

Name: Vincent Pelletier
Comment 3 Vladis Dronov 2018-09-10 10:12:35 UTC 
Note:

The current kernels as shipped in the Red Hat's products are not vulnerable to this flaw due to certain layout of local variables on the stack of the chap_server_compute_md5() function. Namely, this buffer overflow does not overwrite anything meaningful and so does not make a security impact. Nevertheless, this may not be true for the future kernel versions. For this reason this flaw is rated as Moderate and is planned to be fixed in the future versions of the Red Hat's product.
Comment 6 Vladis Dronov 2018-09-24 10:16:26 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1632185]
Comment 8 Fedora Update System 2018-10-01 01:22:56 UTC 
kernel-4.18.10-100.fc27, kernel-headers-4.18.10-100.fc27, kernel-tools-4.18.10-100.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 errata-xmlrpc 2018-11-27 01:19:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3651 https://access.redhat.com/errata/RHSA-2018:3651
Comment 11 errata-xmlrpc 2018-11-27 01:20:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3666 https://access.redhat.com/errata/RHSA-2018:3666
Comment 13 errata-xmlrpc 2019-07-30 09:09:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1946 https://access.redhat.com/errata/RHSA-2019:1946
Note You need to log in before you can comment on or make changes to this bug.