CVE-2017-7477
Find out more about CVE-2017-7477 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.
This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 starting with the version kernel-3.10.0-514.el7, that is with Red Hat Enterprise Linux 7.3 GA. Prior Red Hat Enterprise Linux 7 kernel versions are not affected.
In order to exploit this issue, the system needs to be manually configured by privileged user. The default Red Hat Enterprise Linux 7 configuration is not vulnerable.
CVSS v3 metrics
| CVSS3 Base Score | 8.1 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 7 (kernel) | RHSA-2017:1615 | 2017-06-28 |
| Red Hat Enterprise Linux for Real Time for NFV (v. 7) (kernel-rt) | RHSA-2017:1616 | 2017-06-28 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise MRG 2 | realtime-kernel | Not affected |
| Red Hat Enterprise Linux 6 | kernel | Not affected |
| Red Hat Enterprise Linux 5 | kernel | Not affected |
Mitigation
Red Hat recommends blacklisting the kernel module to prevent its use. This will prevent accidental version loading by administration and also mitigate the flaw if a kernel with the affected module is booted.
As the macsec module will be auto-loaded when required, its use can be disabled by preventing the module from loading with the following instructions:
Raw
# echo "install macsec /bin/true" >> /etc/modprobe.d/disable-macsec.conf
If macsec functionality is in use as a functional part of the system a kernel upgrade is required.
