Bug 1856774 (CVE-2020-14353) - CVE-2020-14353 kernel: keys: for keyctl prevent creating a different user's keyrings in RHEL-6.10
Summary: CVE-2020-14353 kernel: keys: for keyctl prevent creating a different user's k...
Keywords:
Status: CLOSED DUPLICATE of bug 1580979
Alias: CVE-2020-14353
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1775606
TreeView+ depends on / blocked
 
Reported: 2020-07-14 12:38 UTC by Alex
Modified: 2021-02-16 19:41 UTC (History)
29 users (show)

Fixed In Version: rhel-7.5 that is kernel-3.10.0-794.el7 and all higher
Doc Type: If docs needed, set a value
Doc Text:
A keys creation with an incorrect permissions flaw was found in the Linux kernel’s keyctl subsystem. This flaw allows a local user to create user session keyrings for another user. The highest threat from this vulnerability is to integrity.
Clone Of:
Environment:
Last Closed: 2020-07-14 13:28:03 UTC


Attachments (Terms of Use)

Description Alex 2020-07-14 12:38:29 UTC
Unprivileged user can create (using keyctl) user session keyrings for another user. This is problematic because these "fake" keyrings won't have the right permissions. In particular, the user who created them first will own them and will have full access to them via the possessor permissions, which can be used to compromise the security of a user's keys.

Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=237bbd29f7a049d310d907f4b2716a7feef9abf3

If being used by root-level processes, then could be used securely without possibility of leaking keys between users
(see http://kernsec.org/pipermail/linux-security-module-archive/2017-September/003318.html ),
so likely this is the task for modules and programs (for rhel6) to use keyctl kernel functionality securely (the implicit creation method) without such usage of user-space keyring keys.

Comment 1 Alex 2020-07-14 12:38:35 UTC
Acknowledgments:

Name: Eric Biggers (Google)

Comment 9 Salvatore Bonaccorso 2020-08-07 07:40:02 UTC
The CVE assigned here seem a duplicate of the already assigned CVE-2017-18270.

Comment 11 Petr Matousek 2020-08-12 12:06:00 UTC
(In reply to Salvatore Bonaccorso from comment #9)
> The CVE assigned here seem a duplicate of the already assigned
> CVE-2017-18270.

Salvatore, it is, indeed. thank you for the heads up!

*** This bug has been marked as a duplicate of bug 1580979 ***

Comment 18 Alex 2020-08-13 11:59:34 UTC
Statement:

This flaw was found to be a duplicate of CVE-2017-18270. Please see https://access.redhat.com/security/cve/CVE-2017-18270 for information about affected products and security errata.


Note You need to log in before you can comment on or make changes to this bug.