A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. An attack requires the ISCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an ISCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. References: https://seclists.org/oss-sec/2018/q3/270 Upstream patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1816494330a8 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c39e2699f8a
Acknowledgments: Name: Vincent Pelletier
Note: The current kernels as shipped in the Red Hat's products are not vulnerable to this flaw due to certain layout of local variables on the stack of the chap_server_compute_md5() function. Namely, this buffer overflow does not overwrite anything meaningful and so does not make a security impact. Nevertheless, this may not be true for the future kernel versions. For this reason this flaw is rated as Moderate and is planned to be fixed in the future versions of the Red Hat's product.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1632185]
kernel-4.18.10-100.fc27, kernel-headers-4.18.10-100.fc27, kernel-tools-4.18.10-100.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3651 https://access.redhat.com/errata/RHSA-2018:3651
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3666 https://access.redhat.com/errata/RHSA-2018:3666
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2019:1946 https://access.redhat.com/errata/RHSA-2019:1946