An out-of-bounds read vulnerability in function icmp6_send_echoreply() in ip6_icmp.c of libslirp could allow a guest user/process to leak contents of the host memory, leading to possible information disclosure.
OpenShift 4 packages slirp4netns which vendors in libslirp v4.1.0. Additionally have checked that the code, ip6_icmp.c, does contain the vulnerable memcpy.
While processing an incoming ICMPv6 echo request, function icmp6_send_echoreply() does not validate the IPv6 payload length (ip->ip_pl) which is then used as the size of memcpy() to create the destination packet. A malicious user could be able to trick memcpy() into copying more data than allowed, thus potentially leaking the contents of the host memory.
Lowering impact for OpenShift to Low. The library slirp4netns is a dependency of podman, however podman doesn't set the --enable-ipv6 flag, leaving the affected state tho as we still ship the code and don't know if it will be enabled in future.
Acknowledgments: Name: Ziming Zhang (Qi An Xin Group), VictorV (360 Vulcan Team)
Created libslirp tracking bugs for this issue: Affects: epel-8 [bug 1842567] Affects: fedora-all [bug 1842566] Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1842565]
Upstream fix: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0
hello, Mauro Matteo Cascella Do we have this CVE's reproducer? Thanks,
In reply to comment #40: > hello, Mauro Matteo Cascella > > Do we have this CVE's reproducer? Thanks, Yes, we do have a private reproducer for this issue. Please contact me directly via IRC or email.
External References: https://www.zerodayinitiative.com/advisories/ZDI-20-1005/
This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.2.1 Via RHSA-2020:3586 https://access.redhat.com/errata/RHSA-2020:3586
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10756
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4059 https://access.redhat.com/errata/RHSA-2020:4059
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4694 https://access.redhat.com/errata/RHSA-2020:4694
Statement: This flaw did not affect the versions of SLiRP embedded in `qemu-kvm` as shipped with Red Hat Enterprise Linux 6 and 7, as they did not include support for ICMPv6, which was introduced in a later version of the package. OpenShift 4.x packages slirp4netns as a dependency of podman however podman doesn't set the --enable-ipv6 flag. Hence the impact has been reduced to low, as the code is still being packaged and podman might decide to enable IPv6 in future. In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP qemu-kvm-rhev package.