1771486 – (CVE-2019-18198) CVE-2019-18198 kernel: reference count usage error in fib6_rule_suppress function in net/ipv6/fib6_rules.c

Bug 1771486 (CVE-2019-18198) - CVE-2019-18198 kernel: reference count usage error in fib6_rule_suppress function in net/ipv6/fib6_rules.c

Summary: CVE-2019-18198 kernel: reference count usage error in fib6_rule_suppress func...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-18198
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	CVE-2021-3892 (view as bug list)
Depends On:	1771487 1814527
Blocks:	1771490 2008467
TreeView+	depends on / blocked

Reported:	2019-11-12 13:19 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-12-06 07:52 UTC (History)
CC List:	44 users (show)
Fixed In Version:	Kernel 5.4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Linux kernel’s IPv6 routing system. A local attacker with the ability to configure routing can create a situation where they can corrupt memory or possibly escalate privileges.
Clone Of:
Environment:
Last Closed:	2021-10-25 09:56:07 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-11-12 13:19:45 UTC

A flaw was found in the Linux kernels IPV6 subsystem.  Route reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c.  A local attacker with the ability to trigger packets being sent over a specific route that implements suppress_prefixlength.  

The suppress_prefixlength routes are not standard and require administrative access to insert.


Upstream commit:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ca7a03c4175366a92cee0ccc4fec0038c3266e26

Comment 1 Guilherme de Almeida Suckevicz 2019-11-12 13:20:08 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1771487]

Comment 2 Justin M. Forbes 2019-11-12 18:06:44 UTC

This was fixed for Fedora with the 5.3.4 stable kernel updates.

Comment 7 Wade Mealing 2020-03-18 06:30:35 UTC

Mitigation:


As the IPV6 module will be auto-loaded when required, its use can be disabled  by preventing the module from loading with the following instructions:

https://access.redhat.com/solutions/8790

If the system requires IPV6 to work correctly, this mitigation may not be suitable.

If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.

Comment 10 Petr Matousek 2020-04-03 04:31:26 UTC

Statement:

This flaw is rated as moderate as setting up the condition requires CAP_NET_ADMIN privileges which are not available to regular users.

Comment 20 Rohit Keshri 2021-12-06 07:52:40 UTC

*** Bug 2014623 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.

acaringi
airlied
bdettelb
bhu
blc
brdeoliv
bskeggs
dhoward
dvlasenk
esammons
fhrbata
hdegoede
hkrzesin
iboverma
ichavero
itamar
jarodwilson
jeremy
jforbes
jlelli
john.j5live
jonathan
josef
jross
jshortt
jstancek
jwboyer
kernel-maint
kernel-mgr
lgoncalv
linville
masami256
mchehab
mcressma
mjg59
mkaplan
mlangsdo
nmurray
qzhao
rt-maint
rvrbovsk
steved
williams
wmealing