Bug 1683191 (CVE-2019-9162) - CVE-2019-9162 kernel: out-of-bounds read/write in et/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module
Summary: CVE-2019-9162 kernel: out-of-bounds read/write in et/ipv4/netfilter/nf_nat_sn...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-9162
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1679764 (view as bug list)
Depends On: 1676602 1683192 1684601
Blocks: 1683194
TreeView+ depends on / blocked
 
Reported: 2019-02-26 12:30 UTC by Dhananjay Arunesh
Modified: 2019-09-29 15:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that there are insufficient ASN.1 sequence length checks (a.k.a. an array index error) in the Linux kernel in the snmp_version() and snmp_helper() functions in the net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the [nf_nat_snmp_basic] module making out-of-bounds read and write operations possible. An unprivileged local attacker can use this flaw to cause a kernel OOPS condition and thus a denial of service (DoS). Due to the nature of the flaw, successful exploitation from the network or privilege escalation cannot be fully ruled out.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:48:52 UTC


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-02-26 12:30:52 UTC
It was found that there are insufficient ASN.1 sequence length checks (a.k.a. an array index error) in the Linux kernel in the snmp_version() and snmp_helper() functions in the net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the [nf_nat_snmp_basic] module making out-of-bounds read and write operations possible. A unprivileged local attacker can use this flaw to cause a kernel OOPS condition and thus a denial of service (DoS). Due to the nature of the flaw, an attack from the network or privilege escalation cannot be fully ruled out, although we believe it is unlikely.

External References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1776

https://seclists.org/oss-sec/2019/q1/166

An upstream commit:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc

Comment 1 Dhananjay Arunesh 2019-02-26 12:31:07 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1683192]

Comment 4 Vladis Dronov 2019-03-01 14:56:13 UTC
Vulnerability Note:

Jann Horn <jannh@google.com>
https://bugs.chromium.org/p/project-zero/issues/detail?id=1776

There are two scenarios in which this bug might be attacked:

 - A router that performs NAT translation is explicitly set up to invoke the
   SNMP helper, and a device in the NATted network wants to attack the router.

   This is probably very rare, since the router would need to be explicitly
   configured to perform SNMP translation. On top of that, to corrupt memory,
   an attacker would need to be able to completely fill an SKB; it isn't clear
   to me whether that is possible remotely.

 - A local attacker could exploit the bug by setting up new network namespaces
   with an iptables configuration that invokes SNMP translation. This probably
   works as a local privilege escalation against some distribution kernels.

   The normal autoloading path for this code was only set up in
   commit 95c97998aa9f ("netfilter: nf_nat_snmp_basic: add missing helper alias
   name", first in 4.20), but from a glance, it looks like it would be possible
   on kernels before 4.20 to instead first load one of the openvswitch module's
   aliases "net-pf-16-proto-16-family-ovs_*" through ctrl_getfamily(), then use
   ovs_ct_add_helper() to trigger loading of "nf_nat_snmp_basic" through the
   alias "ip_nat_snmp_basic".

Comment 5 Vladis Dronov 2019-03-01 14:57:45 UTC
*** Bug 1679764 has been marked as a duplicate of this bug. ***

Comment 6 Vladis Dronov 2019-03-01 14:59:38 UTC
Acknowledgments:

Name: Jann Horn


Note You need to log in before you can comment on or make changes to this bug.