Bug 1686373 (CVE-2019-3874) - CVE-2019-3874 kernel: SCTP socket buffer memory leak leading to denial of service
Summary: CVE-2019-3874 kernel: SCTP socket buffer memory leak leading to denial of ser...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-3874
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1575105 1665243 1690646 1690649 1690650
Blocks: 1686374
TreeView+ depends on / blocked
 
Reported: 2019-03-07 11:05 UTC by Andrej Nemec
Modified: 2021-02-16 22:17 UTC (History)
47 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack.
Clone Of:
Environment:
Last Closed: 2019-11-06 00:52:25 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3309 0 None None None 2019-11-05 20:35:16 UTC
Red Hat Product Errata RHSA-2019:3517 0 None None None 2019-11-05 21:05:58 UTC

Description Andrej Nemec 2019-03-07 11:05:49 UTC 
It was found that the cgroup limitation of system resources used by Kubernetes can be bypassed. A guest pod can be used to consume a large amount of system memory.

A suggested upstream patch set:

https://lore.kernel.org/netdev/20190401113110.GA20717@hmswarspite.think-freely.org/T/#u
Comment 12 Jason Shepherd 2019-03-15 02:57:19 UTC 
Statement:

While this issue affects the Linux Kernel in Red Hat Enterprise Linux, and not OpenShift Container Platform (OCP) 3 code directly. OCP 3 makes use of CGroups in the Kernel to measure and report on the amount of system resources used by an end user application.

The default Security Context Constraints (SCC) in OpenShift Container Platform 3.x disallow an end user from running a container as root. Also a check is performed by the OCP 3 Installer to ensure SELinux is enabled, [1].

[1] https://github.com/openshift/openshift-ansible/blob/006fb14e9a28df9bd1a58ac376bbdf3eba50fa51/roles/openshift_node/tasks/main.yml#L3
Comment 14 Jason Shepherd 2019-03-18 23:12:13 UTC 
Mitigation:

SELinux prevents a bind of the SCTP socket by a non-root user. 

To mitigate this issue if not using SELinux, or if a Security Context Constraint allows running pods as the root user the 'sctp' module should be blacklisted. Please this this Knowledge Base article for more information on how to blacklist a kernel module. https://access.redhat.com/solutions/41278
Comment 17 Jason Shepherd 2019-03-19 22:44:24 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1690646]
Comment 20 Jason Shepherd 2019-03-20 07:01:46 UTC 
Acknowledgments:

Name: Matteo Croce (Red Hat), Natale Vinto (Red Hat), Andrea Spagnolo (Red Hat)
Comment 21 Jason Shepherd 2019-03-27 06:55:42 UTC 
The Kubernetes Security team made a public announcement about this vulnerability here:

https://discuss.kubernetes.io/t/kubernetes-security-announcement-linux-kernel-memory-cgroups-escape-via-sctp-cve-2019-3874/5594
Comment 25 Andrej Nemec 2019-04-02 12:19:39 UTC 
External References:

https://lore.kernel.org/netdev/20190401113110.GA20717@hmswarspite.think-freely.org/T/#u
https://discuss.kubernetes.io/t/kubernetes-security-announcement-linux-kernel-memory-cgroups-escape-via-sctp-cve-2019-3874/5594
Comment 26 Justin M. Forbes 2019-08-20 19:12:42 UTC 
This was fixed for Fedora with the 5.2 kernel rebases.
Comment 27 errata-xmlrpc 2019-11-05 20:35:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3309
Comment 28 errata-xmlrpc 2019-11-05 21:05:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3517 https://access.redhat.com/errata/RHSA-2019:3517
Comment 29 Product Security DevOps Team 2019-11-06 00:52:25 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3874
Note You need to log in before you can comment on or make changes to this bug.