Use after free vulnerability in Linux kernel keychain management (CVE-2016-0728)

Public Date:
Updated -
Status
Resolved
Impact
Important

Red Hat Product Security has been notified of a vulnerability rates as Important in severity and stems from the Linux kernel version 3.10 that shipped with Red Hat Enterprise Linux 7.

Background Information

  • An issue was reported that the kernel keyring facility was vulnerable to a possible use-after-free attack. Successful compromise could lead to local privilege escalation. The Function join_session in security/keys/process_keys.c holds a reference to the requested keyring, but if that keyring was the some one currently being processed, the kernel would not descrease keyring usage before returning to userspace. The usage field could possibly be overflowed, causing use-afer-free on the keyring object.
  • The exploit is documented: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ .
  • This issue is being managed through CVE-2016-0728 .
  • This issue is documented in KB 2131021 .
  • Direct exploitation of this issue requires a skilled attacker with local access.

An attack could allow execution of arbitrary code and potential escaltion of privileges by a skilled attacker.

The following versions of Red Hat Products are impacted:

  • Red Hat Enterprise Linux 7 running kernel 3.10

This issue does not affect the Linux kernels shipped with Red Hat Enterprise Linux 5 or 6.

Take Action

Red Hat Security Advisories have been issued for this vulnerability. The links to the patches can be found below.

A Systemtap script is available, by request, to mitigate this issue. Please open a Support Case through the REd HAt customer portal or by phone to gain access to it.

Detailed Impact Information

Product Package Advisory/Update
Red Hat Enterprise Linux 7 kernel RHSA-2016:0064
Red Hat Enterprise Linux 7 kernel-rt RHSA-2016:0065
Red Hat Enterprise MRG 2 kernel-rt RHSA-2016:0068

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

3 Comments

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

Do we have a tentative date of this fix ?

RHEL7 patches are out now.

What kernel level do we need to be at for the bug to be resolved? I might be at it already but not sure.