A flaw was found in the linux kernels implementation of RDS over TCP. A system that has the rds_tcp kernel module loaded (either through autoload via local process running listen(), or manual loading) could possibly cause a Use After Free (UAF) in which an attacker who is able to manipulate socket state while a network namespace is being torn down. This can lead to possible memory corruption and privilege escalation.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1710152]
The affected code is not built in the following kernels:
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux MRG-2
- Red Hat Enterprise Linux for ARM (kernel-alt).
- Red Hat Enterprise Linux 8
These kernels are not affected.
The affected code was introduced by commit bdf5bd7f21323493dbe5f2c723dc33f2fbb0241a.
This affected commit is not present in the following kernels:
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
There is misinformation available about this exploit currently circulating. While this is a network protocol being affected, the protocol is not available by default. A local process (or user) can trigger the protocol to be used which will then be loaded automatically would then have the vulnerable code loaded and the attack vector opened. To reiterate it is unlikely that most Linux systems will be using this protocol and therefore affected.
Most systems do _NOT_ have this protocol used by services. This is an infrequently used module and if you wish to blacklist it, you can follow the steps outlined in https://access.redhat.com/solutions/41278 to blacklist the "rds_tcp" module for the relevant version of Red Hat Enterprise Linux.
This was fixed for Fedora with the 5.0.8 stable kernel updates.