Bug 1517220 (CVE-2017-16939) - CVE-2017-16939 Kernel: ipsec: xfrm: use-after-free leading to potential privilege escalation
Summary: CVE-2017-16939 Kernel: ipsec: xfrm: use-after-free leading to potential privi...
Status: CLOSED ERRATA
Alias: CVE-2017-16939
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20171124,repo...
Keywords: Security
Depends On: 1517221 1517284 1517287 1517288 1517289 1517290 1517291 1517292 1517293 1555182 1695831
Blocks: 1517157
TreeView+ depends on / blocked
 
Reported: 2017-11-24 10:51 UTC by Prasad J Pandit
Modified: 2019-06-11 11:13 UTC (History)
44 users (show)

(edit)
The Linux kernel is vulerable to a use-after-free flaw when Transformation User configuration interface(CONFIG_XFRM_USER) compile-time configuration were enabled. This vulnerability occurs while closing a xfrm netlink socket in xfrm_dump_policy_done. A user/process could  abuse this flaw to potentially escalate their privileges on a system.
Clone Of:
(edit)
Last Closed: 2019-06-08 03:32:04 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1318 None None None 2018-05-08 18:25 UTC
Red Hat Product Errata RHSA-2018:1355 None None None 2018-05-08 22:24 UTC
Red Hat Product Errata RHSA-2019:1170 None None None 2019-05-14 19:08 UTC
Red Hat Product Errata RHSA-2019:1190 None None None 2019-05-14 20:26 UTC

Description Prasad J Pandit 2017-11-24 10:51:02 UTC
Linux kernel built with the Transformation User configuration
interface(CONFIG_XFRM_USER) is vulnerable to a use-after-free
issue. It could occur while closing a xfrm netlink socket,
in xfrm_dump_policy_done.

A user/process could use this flaw to potentially escalate their
privileges on a system.

Upstream patch:
---------------
  -> https://git.kernel.org/linus/1137b5e2529a8f5ca8ee709288ecba3e68044df2

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/11/24/3
  -> https://blogs.securiteam.com/index.php/archives/3535

Comment 1 Prasad J Pandit 2017-11-24 10:52:20 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1517221]

Comment 2 Prasad J Pandit 2017-11-24 13:48:41 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1517284]

Comment 7 Eric Christensen 2017-12-04 15:19:21 UTC
Statement:

This issue does not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.

This issue affects the version of the kernel package as shipped with Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2 may address this issue.

Comment 12 errata-xmlrpc 2018-05-08 18:25:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1318 https://access.redhat.com/errata/RHSA-2018:1318

Comment 13 errata-xmlrpc 2018-05-08 22:24:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1355 https://access.redhat.com/errata/RHSA-2018:1355

Comment 15 errata-xmlrpc 2019-05-14 19:08:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1170 https://access.redhat.com/errata/RHSA-2019:1170

Comment 16 errata-xmlrpc 2019-05-14 20:26:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:1190 https://access.redhat.com/errata/RHSA-2019:1190


Note You need to log in before you can comment on or make changes to this bug.