Hide Forgot
A race condition vulnerability was found in packet_set_ring that can lead to use after free on a function pointer. This vulnerability can be used to gain kernel code execution for the local attacker capable of creating AF_PACKET sockets. This issue was introduced with following commit: https://github.com/torvalds/linux/commit/f6fb8f100b807378fda19e83e5ac6828b638603a
Acknowledgments: Name: Philip Pettersson
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1401820]
Public via: http://seclists.org/oss-sec/2016/q4/607
Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c
Statement: This issue does not affect Red Hat Enterprise Linux 5 and 6. This issue does affect Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2. Future updates for the respective releases will address this issue. In a default or common use of Red Hat Enterprise Linux 7 this issue does not allow an unprivileged local user elevate their privileges on the system. In order to exploit this issue the attacker needs CAP_NET_RAW capability, which needs to be granted by the administrator to the attacker's account. Since Red Hat Enterprise Linux 7 does not have unprivileged user namespaces enabled by default, local unprivileged users also cannot abuse namespaces to grant this capability to themselves and elevate their privileges.
bump
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2017:0402 https://rhn.redhat.com/errata/RHSA-2017-0402.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:0386 https://rhn.redhat.com/errata/RHSA-2017-0386.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:0387 https://rhn.redhat.com/errata/RHSA-2017-0387.html