Bug 1435153 (CVE-2017-7184) - CVE-2017-7184 kernel: Out-of-bounds heap access in xfrm
Summary: CVE-2017-7184 kernel: Out-of-bounds heap access in xfrm
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-7184
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1435670 1435671 1435672 1435673 1435674 1435675 1435676 1435682 1437469 1725184
Blocks: 1435159
TreeView+ depends on / blocked
 
Reported: 2017-03-23 09:45 UTC by Adam Mariš
Modified: 2021-02-17 02:25 UTC (History)
38 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:09:25 UTC
Embargoed:

Attachments (Terms of Use)
Proposed patch (1.89 KB, patch)
2017-03-23 09:51 UTC, Adam Mariš 		no flags Details | Diff
Proposed patch pt. 2 (1.88 KB, patch)
2017-03-23 10:25 UTC, Adam Mariš 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2998091 0 None None None 2017-04-11 03:13:06 UTC
Red Hat Product Errata RHSA-2017:2918 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-10-19 17:24:24 UTC
Red Hat Product Errata RHSA-2017:2930 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-10-19 18:47:35 UTC
Red Hat Product Errata RHSA-2017:2931 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-10-19 18:48:35 UTC
Red Hat Product Errata RHSA-2019:4159 0 None None None 2019-12-10 11:58:25 UTC

Description Adam Mariš 2017-03-23 09:45:07 UTC 
Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from unprivileged user leads to arbitrary read/write and privilege escalation.

Public disclosure on oss-security:

http://openwall.com/lists/oss-security/2017/03/29/2

http://seclists.org/oss-sec/2017/q1/689

Upstream patches:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=677e806da4d916052585301785d847c3b3e6186a

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f843ee6dd019bcece3e74e76ad9df0155655d0df
Comment 1 Adam Mariš 2017-03-23 09:51:58 UTC 
Created attachment 1265661 [details]
Proposed patch
Comment 3 Adam Mariš 2017-03-23 10:04:10 UTC 
Acknowledgments:

Name: Chaitin Security Research Lab
Comment 5 Adam Mariš 2017-03-23 10:25:23 UTC 
Created attachment 1265674 [details]
Proposed patch pt. 2
Comment 7 Vladis Dronov 2017-03-24 13:50:58 UTC 
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6 as the code with the flaw is not present in the products listed.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2. In a default or common use of Red Hat Enterprise Linux 7 and MRG-2 this issue does not allow an unprivileged local or remote user to elevate their privileges on the system.

In order to exploit this issue the attacker needs CAP_NET_ADMIN capability, which needs to be granted especially by the administrator to the attacker's process. This in turn requires granting CAP_NET_ADMIN capability to the process' binary and/or attacker's account.

Another possibility to obtain CAP_NET_ADMIN capability in Red Hat Enterprise Linux 7 for an attacker is running a process inside a user+network namespace with mapped root privileges inside the namespace. Since Red Hat Enterprise Linux 7 does not have unprivileged user namespaces enabled by default, local or remote unprivileged users also cannot abuse namespaces to grant this capability to themselves and elevate their privileges.

Given the severity of this issue, future Linux kernel updates for the Red Hat Enterprise Linux 7 and MRG-2 products are planned to address it.
Comment 13 Vladis Dronov 2017-03-30 11:41:23 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1437469]
Comment 16 errata-xmlrpc 2017-10-19 13:25:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:2918 https://access.redhat.com/errata/RHSA-2017:2918
Comment 17 errata-xmlrpc 2017-10-19 15:05:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2930 https://access.redhat.com/errata/RHSA-2017:2930
Comment 18 errata-xmlrpc 2017-10-19 15:09:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2931 https://access.redhat.com/errata/RHSA-2017:2931
Comment 20 errata-xmlrpc 2019-12-10 11:58:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Telco Extended Update Support
  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions

Via RHSA-2019:4159 https://access.redhat.com/errata/RHSA-2019:4159
Note You need to log in before you can comment on or make changes to this bug.