Bug 1886374 (CVE-2020-16119) - CVE-2020-16119 kernel: DCCP CCID structure use-after-free may lead to DoS or code execution
Summary: CVE-2020-16119 kernel: DCCP CCID structure use-after-free may lead to DoS or ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-16119
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1887702 1887675 1887676 1887680 1887682 1887683 1887684 1887685 1887686 1887687 1887688 1887689 1887691 1887692 1887696 1887697 1887698 1887699 1887700 1887701 1888083 1888198 1888199 1888200 1888201
Blocks: 1886377
TreeView+ depends on / blocked
 
Reported: 2020-10-08 10:20 UTC by Marian Rehak
Modified: 2021-11-08 01:23 UTC (History)
59 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. When reusing a socket with an attached dccps_hc_tx_ccid as a listener, the socket will be used after being released leading to denial of service (DoS) or a potential code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-11-08 01:23:14 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 5680351 0 None None None 2021-01-05 06:52:12 UTC

Description Marian Rehak 2020-10-08 10:20:56 UTC
A flaw was found in the Linux kernels implementation of the DCCP protocol. When reusing a socket with an attached dccps_hc_tx_ccid as a listener, it will be used after being released, leading to DoS and potentially code execution. When a DCCP socket is cloned, the pointers to dccps_hc_rx_ccid and dccps_hc_tx_ccid are copied. When CCID features are activated on the child socket, the CCID objects are freed, leaving the parent socket with dangling pointers.

Comment 4 Wade Mealing 2020-10-13 02:38:49 UTC
Mitigation:

Red Hat has previously automatically blacklisted the DCCP module in Red Hat Enterprise Linux 7.5 and later in /etc/modprobe.d/dccp-blacklist.conf.

If this file does not exist with the above contents, the module can be prevented loading by running the  command

# echo "install dccp /bin/true" >> /etc/modprobe.d/dccp-blacklist.conf
 
The system will need to be restarted if the DCCP module is loaded. In most circumstances, the DCCP kernel modules will be unable to be unloaded while any network interfaces are active and the protocol is in use.

If the system requires this module to work correctly, this mitigation may not be suitable.

If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.

Comment 5 Wade Mealing 2020-10-13 05:30:16 UTC
Meta:

The DCCP protocol is not a 'built in' or autoloaded protocol.  A networked system sending DCCP packets to another host will not automatically load the dccp kernel module.  The host must been or be using the DCCP protocol for it to load the kernel module on-demand.

Comment 15 Wade Mealing 2020-10-14 01:26:49 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1888083]

Comment 17 Fedora Update System 2020-10-15 22:35:31 UTC
FEDORA-2020-ce117eff51 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 25 Wade Mealing 2021-01-06 04:09:23 UTC
I spent some time further confirming the bahvior.  No RH products are affected as the commit is definitley required to work correctly.

I hope that answers your question chaekim.


Note You need to log in before you can comment on or make changes to this bug.