Red Hat Bugzilla – Bug 711245
CVE-2011-2189 kernel: net_ns: oom killer fires because of slow net_ns cleanup
Last modified: 2015-07-29 13:47:29 EDT
It was found that vsftpd, Very Secure FTP daemon, when the network namespace (CONFIG_NET_NS) support was activated in the kernel, used to create a new network namespace per connection. A remote attacker could use this flaw to cause memory pressure (kernel OOM killer protection mechanism to be activated and potentially terminate vsftpd or arbitrary [vsftpd independent] process, which satisfied the OOM killer process selection algorithm).
Public PoC (from ):
The test is started in this way:
$ for i in 1 2 3 4 5 6 7 8 ; do ./feedftp $i >/dev/null & done
What is observed during the test is that /proc/vmallocinfo grows continually with lines like the following being added:
0xffffe8ffff800000-0xffffe8ffffa00000 2097152 pcpu_get_vm_areas+0x0/0x790
0xffffe8ffffa00000-0xffffe8ffffc00000 2097152 pcpu_get_vm_areas+0x0/0x790
0xffffe8ffffc00000-0xffffe8ffffe00000 2097152 pcpu_get_vm_areas+0x0/0x790
vsftpd bug: https://bugzilla.redhat.com/show_bug.cgi?id=711134
Proposed patches (but has connection rates problem):
Created kernel tracking bugs for this issue
Affects: fedora-all [bug 749061]
This issue is rated 4.6/AV:L/AC:L/Au:S/C:N/I:N/A:C. AV is L instead of N because this is not a flaw in a network service. It can be triggered by any processes that do namespaces isolation. Au is S because to call clone(2) with CLONE_NEWNET, the process has to be privileged (CAP_SYS_ADMIN).
The current /known/ attack vector, vsftpd, does not affect us as it is explained here, https://bugzilla.redhat.com/show_bug.cgi?id=711134#c16.
This did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as they did not include support for Network Namespaces. A future kernel update in Red Hat Enterprise MRG may address this issue. The risks associated with fixing this flaw outweigh the benefits of the fix, therefore Red Hat does not plan to fix this flaw in Red Hat Enterprise Linux 6.