Bug 1626035 (CVE-2018-14633) - CVE-2018-14633 kernel: stack-based buffer overflow in chap_server_compute_md5() in iscsi target
Summary: CVE-2018-14633 kernel: stack-based buffer overflow in chap_server_compute_md5...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-14633
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180924,repor...
Depends On: 1627038 1627034 1627035 1627037 1632184 1632185 1634711 1640716 1695812 1695813
Blocks: 1619500
TreeView+ depends on / blocked
 
Reported: 2018-09-06 12:46 UTC by Vladis Dronov
Modified: 2019-07-30 09:09 UTC (History)
44 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial of service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:37:33 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3651 None None None 2018-11-27 01:20:21 UTC
Red Hat Product Errata RHSA-2018:3666 None None None 2018-11-27 01:20:50 UTC
Red Hat Product Errata RHSA-2019:1946 None None None 2019-07-30 09:09:04 UTC

Description Vladis Dronov 2018-09-06 12:46:18 UTC
A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. An attack requires the ISCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an ISCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely.

References:

https://seclists.org/oss-sec/2018/q3/270

Upstream patches:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1816494330a8

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c39e2699f8a

Comment 1 Vladis Dronov 2018-09-06 12:46:20 UTC
Acknowledgments:

Name: Vincent Pelletier

Comment 3 Vladis Dronov 2018-09-10 10:12:35 UTC
Note:

The current kernels as shipped in the Red Hat's products are not vulnerable to this flaw due to certain layout of local variables on the stack of the chap_server_compute_md5() function. Namely, this buffer overflow does not overwrite anything meaningful and so does not make a security impact. Nevertheless, this may not be true for the future kernel versions. For this reason this flaw is rated as Moderate and is planned to be fixed in the future versions of the Red Hat's product.

Comment 6 Vladis Dronov 2018-09-24 10:16:26 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1632185]

Comment 8 Fedora Update System 2018-10-01 01:22:56 UTC
kernel-4.18.10-100.fc27, kernel-headers-4.18.10-100.fc27, kernel-tools-4.18.10-100.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 errata-xmlrpc 2018-11-27 01:19:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3651 https://access.redhat.com/errata/RHSA-2018:3651

Comment 11 errata-xmlrpc 2018-11-27 01:20:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3666 https://access.redhat.com/errata/RHSA-2018:3666

Comment 13 errata-xmlrpc 2019-07-30 09:09:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1946 https://access.redhat.com/errata/RHSA-2019:1946


Note You need to log in before you can comment on or make changes to this bug.