Release Found: Red Hat Enterprise Linux 3 and Red Hat Enterprise MRG.
Update 4th November 2009: This article has been updated to reflect the release of the Red Hat Security Advisory RHSA-2009:1540 for Red Hat Enterprise MRG. This advisory disables support for AppleTalk, making Red Hat Enterprise MRG not vulnerable to the CVE-2009-2903 issue.
The flaw identified by CVE-2009-2903 (Red Hat Bugzilla bug 522331) describes a memory leak issue in the AppleTalk DDP protocol implementation in the Linux kernel, versions 2.4.0 and later, and 2.6.0 and later. When the handle_ip_over_ddp() function checks for the "ipddp0" device and the device is not found, the function does not free the socket buffer structure (skb), leading to a memory leak. This flaw was addressed via the upstream git commit ffcfb8db for the 2.6 kernel.
At the time of writing, this flaw has not been addressed in the 2.4 kernel. On systems without this patch or the necessary mitigation, an attacker can exploit this issue to cause a denial of service. Note: Attackers require adjacent (local) network access to exploit this issue.
This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5, as the affected driver is not enabled in these kernels. The affected driver is available in Red Hat Enterprise Linux 3, but only if the kernel-unsupported package is installed. AppleTalk support was disabled in Red Hat Enterprise MRG via the Red Hat Security Advisory RHSA-2009:1540, and therefore, Red Hat Enterprise MRG is not affected by this issue.
Before updates are released and applied, it is possible to reduce the risk and mitigate this flaw by:
- ensuring that both the appletalk and the ipddp modules are loaded, and remain loaded. The ipddp0 device is automatically created by the ipddp module, causing the packets to be forwarded to the IP protocol handling code, thus avoiding the vulnerability, as it only occurs when the ipddp0 device does not exist.
- disabling the appletalk module and ensuring that it cannot be loaded. The steps outlined below will not work if the module is already loaded. If the module is loaded and cannot be removed, for example, via "modprobe -r", a reboot will be required before the change takes effect.
The "install" command is used to direct the system to run the "/bin/true" command instead of inserting the module if it is called.
Red Hat Enterprise Linux 3
Add the following entry to the end of the /etc/modules.conf file:
install appletalk /bin/true
Note: The kernel-unsupported package provides the appletalk module. This module is not available if you do not have kernel-unsupported installed.
Red Hat Enterprise MRG
Add the following entry to the end of the /etc/modprobe.conf file:
install appletalk /bin/true
If you require assistance with mitigating this issue, please contact Red Hat support.