A flaw was found in the way Netlink messages without explicitly set SCM_CREDENTIALS were delivered. The kernel passes all-zero SCM_CREDENTIALS ancillary data to the receiver if the sender did not provide such data, instead of including the correct data from the peer (as it is the case with AF_UNIX). Programs that set SO_PASSCRED option on the Netlink socket and rely on SCM_CREDENTIALS for authentication might accept spoofed messages and perform privileged actions on behalf of the unprivileged attacker.
Red Hat would like to thank Pablo Neira Ayuso for reporting this issue.
This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5 and 6 as they did not backport the commit that introduced this issue. Future kernel updates for Red Hat Enterprise MRG 2 may address this issue.
Created kernel tracking bugs for this issue
Affects: fedora-all [bug 850688]
This issue has been addressed in following products:
MRG for RHEL-6 v.2
Via RHSA-2012:1491 https://rhn.redhat.com/errata/RHSA-2012-1491.html