Does CVE-2009-2692 affect Red Hat Enterprise Linux?

Updated -

Release Found: Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG.

Update 27th August 2009: This article has been updated to reflect the release of the Red Hat Security Advisories RHSA-2009:1233, RHSA-2009:1223, and RHSA-2009:1222, which fix the CVE-2009-2692 issue in Red Hat Enterprise Linux 3, 4, and 5 respectively.

Update 1st September 2009: This article has been updated to reflect the release of the Red Hat Security Advisory RHSA-2009:1239, which fixes the CVE-2009-2692 issue in Red Hat Enterprise MRG.

Problem

The flaw identified by CVE-2009-2692 (Red Hat Bugzilla bug 516949) describes an issue in the SOCKOPS_WRAP macro in the Linux kernel, versions 2.4.4 and later, and 2.6.0 and later. This macro did not initialize the sendpage operation in the proto_ops structure correctly. This flaw was addressed via the upstream git commits c18d0fe5 for the 2.4 kernel, and e6949583 for the 2.6 kernel. On systems without these patches, this flaw can lead to a local denial of service or privilege escalation.

This issue has been rated as having important security impact by the Red Hat Security Response Team.

Solution

This issue has been fixed in Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG via the Red Hat Security Advisories RHSA-2009:1233, RHSA-2009:1223, RHSA-2009:1222, and RHSA-2009:1239 respectively. If the required updates are not installed, or if it is not possible to install at this time, the workarounds in the Mitigation section can be applied to help reduce the risk of this issue.

Mitigation

Before updates are applied, it is possible to reduce the risk and mitigate this flaw by blacklisting the kernel modules of the affected protocols.

The mitigation steps outlined below will not work if the modules are already loaded. If the modules are loaded and cannot be removed, for example, via "modprobe -r", a reboot will be required before the changes take effect.

The "install" command is used to direct the system to run the "/bin/true" command instead of inserting the modules if they are called:

Red Hat Enterprise Linux 3

Add the following entry to the end of the /etc/modules.conf file:

install bluez /bin/true

Note: The kernel-unsupported package provides the bluez module. This module is not available if you do not have kernel-unsupported installed.

Red Hat Enterprise Linux 4 and 5

Add the following entries to the end of the /etc/modprobe.conf file:

install pppox /bin/true
install bluetooth /bin/true
install sctp /bin/true

The sctp module cannot be unloaded from a running kernel if the module is already loaded; therefore, the above changes for /etc/modprobe.conf on Red Hat Enterprise Linux 4 and 5 require a reboot to take effect.

Red Hat Enterprise MRG

Add the following entries to the end of the /etc/modprobe.conf file:

install pppox /bin/true
install bluetooth /bin/true
install appletalk /bin/true
install ipx /bin/true
install sctp /bin/true

The modules listed above are not exhaustive, but should prevent the publicly-circulated exploit for this issue from working correctly, as this is the list of protocols (relevant to Red Hat Enterprise Linux) known to be affected.

Further Assistance

If you require assistance with mitigating this issue, please contact Red Hat support.

Comments