Bug 1877575 (CVE-2020-25212) - CVE-2020-25212 kernel: TOCTOU mismatch in the NFS client code
Summary: CVE-2020-25212 kernel: TOCTOU mismatch in the NFS client code
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25212
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1877576 1880890 1880891 1880892 1880893 1880894 1916422 1916423 1916424 1916716 1916717 1916718
Blocks: 1877577
TreeView+ depends on / blocked
 
Reported: 2020-09-09 20:57 UTC by Pedro Sampaio
Modified: 2024-03-25 16:27 UTC (History)
49 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response allow for local memory corruption and possibly privilege escalation.
Clone Of:
Environment:
Last Closed: 2020-10-19 20:21:42 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:0138 0 None None None 2021-01-14 11:41:33 UTC
Red Hat Product Errata RHBA-2021:2538 0 None None None 2021-06-23 18:06:00 UTC
Red Hat Product Errata RHBA-2021:2541 0 None None None 2021-06-24 11:51:05 UTC
Red Hat Product Errata RHSA-2020:4279 0 None None None 2020-10-19 16:57:59 UTC
Red Hat Product Errata RHSA-2020:5437 0 None None None 2020-12-15 11:12:15 UTC
Red Hat Product Errata RHSA-2020:5441 0 None None None 2020-12-15 11:17:13 UTC
Red Hat Product Errata RHSA-2021:0526 0 None None None 2021-02-16 08:35:11 UTC
Red Hat Product Errata RHSA-2021:0760 0 None None None 2021-03-09 09:18:56 UTC
Red Hat Product Errata RHSA-2021:0878 0 None None None 2021-03-16 14:53:38 UTC

Description Pedro Sampaio 2020-09-09 20:57:14 UTC
A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c.

References:

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.8.3
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b4487b93545214a9db8cbf32e86411677b0cca21
https://twitter.com/grsecurity/status/1303370421958578179

Comment 1 Pedro Sampaio 2020-09-09 20:57:53 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1877576]

Comment 2 Justin M. Forbes 2020-09-10 14:41:40 UTC
This was fixed for Fedora with the 5.8 stable rebases.

Comment 9 Petr Matousek 2020-10-13 16:01:37 UTC
Mitigation:

While there is no known mitigation to this flaw, configuring authentication and only mounting authenticated NFSv4 servers will significantly reduce the risk of this flaw being successfully exploited.

Comment 14 errata-xmlrpc 2020-10-19 16:57:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4279 https://access.redhat.com/errata/RHSA-2020:4279

Comment 15 Product Security DevOps Team 2020-10-19 20:21:42 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25212

Comment 16 errata-xmlrpc 2020-12-15 11:12:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5437 https://access.redhat.com/errata/RHSA-2020:5437

Comment 17 errata-xmlrpc 2020-12-15 11:16:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5441 https://access.redhat.com/errata/RHSA-2020:5441

Comment 22 errata-xmlrpc 2021-02-16 08:35:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:0526 https://access.redhat.com/errata/RHSA-2021:0526

Comment 23 errata-xmlrpc 2021-03-09 09:18:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:0760 https://access.redhat.com/errata/RHSA-2021:0760

Comment 24 errata-xmlrpc 2021-03-16 14:53:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:0878 https://access.redhat.com/errata/RHSA-2021:0878

Comment 26 errata-xmlrpc 2021-05-18 13:20:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1578 https://access.redhat.com/errata/RHSA-2021:1578

Comment 27 errata-xmlrpc 2021-05-18 14:40:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1739 https://access.redhat.com/errata/RHSA-2021:1739


Note You need to log in before you can comment on or make changes to this bug.