This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 711245 - (CVE-2011-2189) CVE-2011-2189 kernel: net_ns: oom killer fires because of slow net_ns cleanup
CVE-2011-2189 kernel: net_ns: oom killer fires because of slow net_ns cleanup
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110216,reported=20110607,sou...
: Security
Depends On: 711246 711247 711248 749061 761354
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-06 19:53 EDT by Eugene Teo (Security Response)
Modified: 2015-07-29 13:47 EDT (History)
19 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-29 08:48:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2011-06-06 19:53:28 EDT
It was found that vsftpd, Very Secure FTP daemon, when the network namespace (CONFIG_NET_NS) support was activated in the kernel, used to create a new network namespace per connection. A remote attacker could use this flaw to cause memory pressure (kernel OOM killer protection mechanism to be activated and potentially terminate vsftpd or arbitrary [vsftpd independent] process, which satisfied the OOM killer process selection algorithm).

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629373
[2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095

Public PoC (from [2]):
======================

The test is started in this way:

$ for i in 1 2 3 4 5 6 7 8 ; do ./feedftp $i >/dev/null & done

What is observed during the test is that /proc/vmallocinfo grows continually with lines like the following being added:

0xffffe8ffff800000-0xffffe8ffffa00000 2097152 pcpu_get_vm_areas+0x0/0x790
vmalloc
0xffffe8ffffa00000-0xffffe8ffffc00000 2097152 pcpu_get_vm_areas+0x0/0x790
vmalloc
0xffffe8ffffc00000-0xffffe8ffffe00000 2097152 pcpu_get_vm_areas+0x0/0x790
vmalloc

vsftpd bug: https://bugzilla.redhat.com/show_bug.cgi?id=711134

Proposed patches (but has connection rates problem):
http://patchwork.ozlabs.org/patch/88217/
Comment 13 Eugene Teo (Security Response) 2011-10-25 21:20:57 EDT
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 749061]
Comment 15 Eugene Teo (Security Response) 2011-10-30 08:35:47 EDT
This issue is rated 4.6/AV:L/AC:L/Au:S/C:N/I:N/A:C. AV is L instead of N because this is not a flaw in a network service. It can be triggered by any processes that do namespaces isolation. Au is S because to call clone(2) with CLONE_NEWNET, the process has to be privileged (CAP_SYS_ADMIN).

The current /known/ attack vector, vsftpd, does not affect us as it is explained here, https://bugzilla.redhat.com/show_bug.cgi?id=711134#c16.
Comment 17 Eugene Teo (Security Response) 2011-11-10 23:53:02 EST
[Updated: 2011-11-11]
 
Statement:

This did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as they did not include support for Network Namespaces. A future kernel update in Red Hat Enterprise MRG may address this issue. The risks associated with fixing this flaw outweigh the benefits of the fix, therefore Red Hat does not plan to fix this flaw in Red Hat Enterprise Linux 6.

Note You need to log in before you can comment on or make changes to this bug.