A flaw was found in the way Netlink messages without explicitly set SCM_CREDENTIALS were delivered. The kernel passes all-zero SCM_CREDENTIALS ancillary data to the receiver if the sender did not provide such data, instead of including the correct data from the peer (as it is the case with AF_UNIX). Programs that set SO_PASSCRED option on the Netlink socket and rely on SCM_CREDENTIALS for authentication might accept spoofed messages and perform privileged actions on behalf of the unprivileged attacker. Introduced in: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=16e57262 Acknowledgements: Red Hat would like to thank Pablo Neira Ayuso for reporting this issue.
Statement: This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5 and 6 as they did not backport the commit that introduced this issue. Future kernel updates for Red Hat Enterprise MRG 2 may address this issue.
Upstream commit: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=e0e3cea46d31d23dc40df0a49a7a2c04fe8edfea
Created kernel tracking bugs for this issue Affects: fedora-all [bug 850688]
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2012:1491 https://rhn.redhat.com/errata/RHSA-2012-1491.html