1856774 – (CVE-2020-14353) CVE-2020-14353 kernel: keys: for keyctl prevent creating a different user's keyrings in RHEL-6.10

Bug 1856774 (CVE-2020-14353) - CVE-2020-14353 kernel: keys: for keyctl prevent creating a different user's keyrings in RHEL-6.10

Summary: CVE-2020-14353 kernel: keys: for keyctl prevent creating a different user's k...

Keywords:
Status:	CLOSED DUPLICATE of bug 1580979
Alias:	CVE-2020-14353
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1775606
TreeView+	depends on / blocked

Reported:	2020-07-14 12:38 UTC by Alex
Modified:	2021-02-16 19:41 UTC (History)
CC List:	29 users (show)
Fixed In Version:	rhel-7.5 that is kernel-3.10.0-794.el7 and all higher
Doc Type:	If docs needed, set a value
Doc Text:	A keys creation with an incorrect permissions flaw was found in the Linux kernel’s keyctl subsystem. This flaw allows a local user to create user session keyrings for another user. The highest threat from this vulnerability is to integrity.
Clone Of:
Environment:
Last Closed:	2020-07-14 13:28:03 UTC
Embargoed:

Attachments	(Terms of Use)

Description Alex 2020-07-14 12:38:29 UTC

Unprivileged user can create (using keyctl) user session keyrings for another user. This is problematic because these "fake" keyrings won't have the right permissions. In particular, the user who created them first will own them and will have full access to them via the possessor permissions, which can be used to compromise the security of a user's keys.

Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=237bbd29f7a049d310d907f4b2716a7feef9abf3

If being used by root-level processes, then could be used securely without possibility of leaking keys between users
(see http://kernsec.org/pipermail/linux-security-module-archive/2017-September/003318.html ),
so likely this is the task for modules and programs (for rhel6) to use keyctl kernel functionality securely (the implicit creation method) without such usage of user-space keyring keys.

Comment 1 Alex 2020-07-14 12:38:35 UTC

Acknowledgments:

Name: Eric Biggers (Google)

Comment 3 Alex 2020-07-14 12:38:41 UTC

External References:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=237bbd29f7a049d310d907f4b2716a7feef9abf3
http://kernsec.org/pipermail/linux-security-module-archive/2017-September/003318.html

Comment 9 Salvatore Bonaccorso 2020-08-07 07:40:02 UTC

The CVE assigned here seem a duplicate of the already assigned CVE-2017-18270.

Comment 11 Petr Matousek 2020-08-12 12:06:00 UTC

(In reply to Salvatore Bonaccorso from comment #9)
> The CVE assigned here seem a duplicate of the already assigned
> CVE-2017-18270.

Salvatore, it is, indeed. thank you for the heads up!

*** This bug has been marked as a duplicate of bug 1580979 ***

Comment 18 Alex 2020-08-13 11:59:34 UTC

Statement:

This flaw was found to be a duplicate of CVE-2017-18270. Please see https://access.redhat.com/security/cve/CVE-2017-18270 for information about affected products and security errata.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
bhu
blc
bmasney
brdeoliv
carnil
dhoward
dvlasenk
esammons
fhrbata
hkrzesin
iboverma
jlelli
jross
jshortt
jstancek
kcarcia
kernel-mgr
lgoncalv
matt
mcressma
mlangsdo
nmurray
pmatouse
ptalbert
qzhao
rt-maint
rvrbovsk
williams