711245 – (CVE-2011-2189) CVE-2011-2189 kernel: net_ns: oom killer fires because of slow net_ns cleanup

Bug 711245 (CVE-2011-2189) - CVE-2011-2189 kernel: net_ns: oom killer fires because of slow net_ns cleanup

Summary: CVE-2011-2189 kernel: net_ns: oom killer fires because of slow net_ns cleanup

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2011-2189
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	711246 711247 711248 749061 761354
Blocks:
TreeView+	depends on / blocked

Reported:	2011-06-06 23:53 UTC by Eugene Teo (Security Response)
Modified:	2021-02-24 15:18 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-07-29 12:48:46 UTC
Embargoed:

Attachments	(Terms of Use)

Description Eugene Teo (Security Response) 2011-06-06 23:53:28 UTC

It was found that vsftpd, Very Secure FTP daemon, when the network namespace (CONFIG_NET_NS) support was activated in the kernel, used to create a new network namespace per connection. A remote attacker could use this flaw to cause memory pressure (kernel OOM killer protection mechanism to be activated and potentially terminate vsftpd or arbitrary [vsftpd independent] process, which satisfied the OOM killer process selection algorithm).

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629373
[2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095

Public PoC (from [2]):
======================

The test is started in this way:

$ for i in 1 2 3 4 5 6 7 8 ; do ./feedftp $i >/dev/null & done

What is observed during the test is that /proc/vmallocinfo grows continually with lines like the following being added:

0xffffe8ffff800000-0xffffe8ffffa00000 2097152 pcpu_get_vm_areas+0x0/0x790
vmalloc
0xffffe8ffffa00000-0xffffe8ffffc00000 2097152 pcpu_get_vm_areas+0x0/0x790
vmalloc
0xffffe8ffffc00000-0xffffe8ffffe00000 2097152 pcpu_get_vm_areas+0x0/0x790
vmalloc

vsftpd bug: https://bugzilla.redhat.com/show_bug.cgi?id=711134

Proposed patches (but has connection rates problem):
http://patchwork.ozlabs.org/patch/88217/

Comment 13 Eugene Teo (Security Response) 2011-10-26 01:20:57 UTC

Created kernel tracking bugs for this issue

Affects: fedora-all [bug 749061]

Comment 15 Eugene Teo (Security Response) 2011-10-30 12:35:47 UTC

This issue is rated 4.6/AV:L/AC:L/Au:S/C:N/I:N/A:C. AV is L instead of N because this is not a flaw in a network service. It can be triggered by any processes that do namespaces isolation. Au is S because to call clone(2) with CLONE_NEWNET, the process has to be privileged (CAP_SYS_ADMIN).

The current /known/ attack vector, vsftpd, does not affect us as it is explained here, https://bugzilla.redhat.com/show_bug.cgi?id=711134#c16.

Comment 17 Eugene Teo (Security Response) 2011-11-11 04:53:02 UTC

[Updated: 2011-11-11]
 
Statement:

This did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as they did not include support for Network Namespaces. A future kernel update in Red Hat Enterprise MRG may address this issue. The risks associated with fixing this flaw outweigh the benefits of the fix, therefore Red Hat does not plan to fix this flaw in Red Hat Enterprise Linux 6.

Note You need to log in before you can comment on or make changes to this bug.