Bug 642896 (CVE-2010-3904) - CVE-2010-3904 kernel: RDS sockets local privilege escalation
Summary: CVE-2010-3904 kernel: RDS sockets local privilege escalation
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-3904
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 642897 642898 642899 642900 645252 645305
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-10-14 04:09 UTC by Eugene Teo (Security Response)
Modified: 2023-05-11 15:10 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-19 09:15:28 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0792 0 normal SHIPPED_LIVE Important: kernel security update 2010-10-25 18:44:06 UTC
Red Hat Product Errata RHSA-2010:0842 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-11-22 19:34:20 UTC

Description Eugene Teo (Security Response) 2010-10-14 04:09:01 UTC
Description of problem:
The handling functions for sending and receiving messages, in rds_page_copy_user(), use the unchecked __copy_*_user_inatomic functions without any access checks on user-provided pointers.  As a result, by passing a kernel address as an iovec base address in recvmsg-style calls, a local user can overwrite arbitrary kernel memory, which can easily be used to escalate privileges to root.

Introduced via 7875e18e (v2.6.30-rc1).

Acknowledgements:

Red Hat would like to thank Dan Rosenberg of Virtual Security Research for reporting this issue.

Comment 3 Eugene Teo (Security Response) 2010-10-14 04:14:22 UTC
Statement:

The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG did not include support for the RDS Protocol, and therefore are not affected by this issue. Updates for Red Hat Enterprise Linux 5 and 6 are available to address this flaw.

Mitigation:

For users that do not run applications that use RDS, you can prevent the rds module from being loaded by adding the following entry to the end of the /etc/modprobe.d/blacklist file:

blacklist rds

This way, the rds module cannot be loaded accidentally, which may occur if an application that requires RDS is started. A reboot is not necessary for this change to take effect but do make sure the module is not loaded in the first place. You can verify that by running:

lsmod | grep rds

You may also consider removing the CAP_SYS_MODULE capability from the current global capability set to prevent kernel modules from being loaded or unloaded. The CAP_SYS_MODULE has a capability number of 16 (see linux/capability.h). The default value has all the bits set. To remove this capability, you have to clear the 16th bit of the default 32-bit value, e.g. 0xffffff ^ (1 << 16):

echo 0xFFFEFFFF > /proc/sys/kernel/cap-bound

Comment 8 Eugene Teo (Security Response) 2010-10-20 01:43:57 UTC
Public advisory:
http://www.vsecurity.com/resources/advisory/20101019-1/

Upstream commit:
http://git.kernel.org/linus/799c10559d60f159ab2232203f222f18fa3c4a5f

Comment 10 Leif Nixon 2010-10-20 07:34:18 UTC
Excuse me, isn't this trivially exploitable on RHEL 5?

Doesn't that warrant a prompt kernel update?

Comment 11 Eugene Teo (Security Response) 2010-10-20 08:36:12 UTC
(In reply to comment #10)
> Excuse me, isn't this trivially exploitable on RHEL 5?
> 
> Doesn't that warrant a prompt kernel update?

If you are unable to perform the mitigation steps, please contact Red Hat Support for a hotfix. We are planning to get this addressed in Red Hat Enterprise Linux 5 soon. Thanks.

Comment 12 Vincent Danen 2010-10-22 01:00:25 UTC
Noting Fedora tracking bugs created elsewhere:

CVE-2010-3904 Affects: Fedora 12/13 [bug #645252]
CVE-2010-3904 Affects: Fedora 14 [bug #645305]

Comment 13 Matthew Ife 2010-10-22 07:59:56 UTC
This does not work on most domains confined by SELinux, including RBAC enabled users such as staff_t and user_t, because it relies on having access to the system map / kallsyms which is a restricted file and/or "create" access on sockets which is typically not supplied in most confinements.

Comment 14 errata-xmlrpc 2010-10-25 18:44:12 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0792 https://rhn.redhat.com/errata/RHSA-2010-0792.html

Comment 15 errata-xmlrpc 2010-11-10 19:09:23 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html

Comment 16 errata-xmlrpc 2010-11-22 19:35:22 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html


Note You need to log in before you can comment on or make changes to this bug.