Use-after-free in the IPv6 implementation of the DCCP protocol in the Linux kernel - CVE-2017-6074
Red Hat Product Security has been made aware of a vulnerability affecting the Linux kernel's DCCP protocol IPV6 implementation. The vulnerability has been assigned CVE-2017-6074. This issue was publicly disclosed on 20-Feb-2017 and has been rated as Important.
Background Information
DCCP is a layer 4 (transport) protocol intended to allow programmers to control network congestion settings on the application layer. This protocol is routable across the internet as it uses IP as its layer 3 (network) protocol. Because of this, the protocol was designed to work over both IPV4 and IPV6 based systems. This exploit explicitly uses IPV6 based DCCP connections.
DCCP uses an internal state machine to keep track of connections. In this circumstance the DCCP state machine mishandles DCCP_PKT_REQUEST data structures while the socket is in the LISTEN state. This allows a local user who can control both client and server on the same networked node to provide a "Use After Free" situation. When a connection is established a data structure called skbuff is created per connection. At the tail of skbuff is another struct called skb_shared_info, which in turn contains a ubuf_info struct. This struct contains a function pointer that is to be called when the skb is to be cleaned up. The error condition is that this ubuf_info struct's callback function was being called after the memory for the skbuff had been freed. This allows an attacker to create a situation in which that memory can be overwritten with malicious instructions, abusing the function pointer value in the time between free and secondary misuse.
The attack requires both server and client running on the same system to ensure reference to the sk_shared_info struct is able to be referenced after it has been freed.
Acknowledgments
Red Hat would like to thank Andrey Konovalov for reporting and assisting with this issue.
Red Hat Product Security has rated this update as having a security impact of Important.
Impacted Products
The following Red Hat product versions are impacted:
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat Enterprise MRG 2
- Red Hat Openshift Online v2
- Red Hat Virtualization (RHEV-H/RHV-H)
- RHEL Atomic Host
Attack Description and Impact
This flaw allows an attacker with an account on the local system to potentially elevate privileges. This class of flaw is commonly referred to as UAF (Use After Free.) Flaws of this nature are generally exploited by exercising a code path that accesses memory via a pointer that no longer references an in use allocation due to an earlier free() operation. In this specific issue, the flaw exists in the DCCP networking code and can be reached by a malicious actor with sufficient access to initiate a DCCP network connection on any local interface. Successful exploitation may result in crashing of the host kernel, potential execution of code in the context of the host kernel or other escalation of privilege by modifying kernel memory structures. An attacker must have access to a local account on the system; this is not a remote attack and requires IPV6 support to be enabled.
Diagnose your vulnerability
Take Action
All Red Hat customers running affected versions of the kernel are strongly recommended to update the kernel as soon as patches are available. Details about impacted packages as well as recommended mitigation are noted below. A system reboot is required in order for the kernel update to be applied.
| Product | Package | Advisory |
|---|---|---|
| Red Hat Enterprise Linux 7 | kernel | RHSA-2017:0294 |
| Red Hat Enterprise Linux 7 | kernel-rt | RHSA-2017:0295 |
| Red Hat Enterprise Linux 7.2 Extended Update Support* | kernel | RHSA-2017:0501 |
| Red Hat Enterprise Linux 7.1 Extended Update Support* | kernel | RHSA-2017:0403 |
| Red Hat Enterprise Linux 6 | kernel | RHSA-2017:0293 |
| Red Hat Enterprise Linux 6.7 Extended Update Support* | kernel | RHSA-2017:0316 |
| Red Hat Enterprise Linux 6.6 Advanced Update Support** | kernel | RHSA-2017:0324 |
| Red Hat Enterprise Linux 6.5 Advanced Update Support** | kernel | RHSA-2017:0366 |
| Red Hat Enterprise Linux 6.4 Advanced Update Support** | kernel | RHSA-2017:0345 |
| Red Hat Enterprise Linux 6.2 Advanced Update Support*** | kernel | RHSA-2017:0365 |
| Red Hat Enterprise Linux 5 | kernel | RHSA-2017:0323 |
| Red Hat Enterprise Linux 5.9 Advanced Update Support** | kernel | RHSA-2017:0346 |
| Red Hat Enterprise Linux 5.6 Advanced Update Support** | kernel | RHSA-2017:0347 |
| RHEL Atomic Host | kernel | Respun 22Feb2017 |
| Red Hat Enterprise MRG 2 | kernel-rt | RHSA-2017:0932 |
| Red Hat Virtualization (RHEV-H/RHV-H) | kernel | RHSA-2017:1209 |
Updates for Affected Products
*An active EUS subscription is required for access to this patch.
Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active EUS subscription.
What is the Red Hat Enterprise Linux Extended Update Support Subscription?
**An active AUS subscription is required for access to this patch in RHEL AUS.
Mitigation
The DCCP kernel module will be automatically loaded when an application attempts to use the DCCP protocol. This module can be prevented from being loaded by using the system-wide modprobe rules. The following command, run as root, will prevent accidental or intentional loading of the module. Red Hat Product Security believe this method is a robust method to prevent accidental loading of the module, even by privileged users.
# echo "install dccp /bin/true">> /etc/modprobe.d/disable-dccp.conf
The system will need to be restarted if the DCCP modules are already loaded. In most circumstances, the DCCP kernel modules will be unable to be unloaded if in use and while any network interfaces are active.
If further assistance is needed, see this KCS article ( https://access.redhat.com/solutions/41278 ) or contact Red Hat Global Support Services.
Additionally, the default targeted SELinux policy for fully up to date RHEL 6 and 7 systems will mitigate this flaw, as described within bugzilla details for CVE-2017-6074 .
Ansible Playbook
An Ansible playbook is available. This will mitigate the vulnerability in two steps: First, it performs a "fake install" to prevent the vulnerable DCCP module from loading by creating a blacklist file at /etc/modprobe.d/disable-dccp.conf . Then, if the DCCP module is already loaded into the running kernel, it will attempt to unload it. If it is unable to do so (because the module is in use by the kernel), it will *reboot the system*. With the blacklist file in place, this will ensure the module isn't loaded anymore. After a fixed package is available and installed, you can remove the file at /etc/modprobe.d/disable-dccp.conf if desired.
The playbook runs against a variable named HOSTS, and can be invoked as follows (assuming 'hostname' is defined in your inventory file):
# ansible-playbook -e HOSTS=hostname mitigate-fixit.yml
This playbook requires root privileges, so you may need to specify --become if it's not defined for 'hostname' in your inventory file.
10 Comments
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
Current Customers and Partners
Log in for full access
Log InNew to Red Hat?
Learn more about Red Hat subscriptions
the script does not check if ipv6 is enabled or not, what if our environment disables ipv6? we should not be vulnerable to this, correct? also the script assumes the only way to mitigate is via selinux? is there any other way to mitigate other than selinux linux
Hi Walid,
On IPv6, having it disabled in the kernel does mitigate this issue. Merely not having an IPv6 interface does not suffice here.
The mitigation of disabling the dccp module is simpler to apply and equally, if not more effective.
Regards,
Gabe
according to this URL https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2013-02-05/finding/RHEL-06-000124 I can just disable DCCP if it is not required service and that is another way to mitigate the vulnerability.
Good morning, Yes Walaid Shaari - the method within the URL you listed to blacklist and disable the DCCP kernel module is the same method we published as a mitigation to prevent this issue. If you click on the resolve tab and scroll to the bottom half to mitigation section.
Regards, Cliff
thanks Cliff. I have noticed it now
Can Red Hat start putting their scripts (eg. Ansible remediation + check scripts) in publicly available git repositories?
It would be nice to be able to view the contents of these scripts without having to pull the down.
Posting our scripts to a git repo is something we certainly can look to do. I'll talk with our DevOps team (the folks that built the two provided scripts) and see what our options might be.
It should be noted that if you are hardening your RHEL servers there are CCE's for disabling DCCP, so this may already be mitigated in your deployment.
CCE-14268-7 Disable DCCP (RHEL 5)
CCE-26448-1 Disable DCCP Support (RHEL 6)
CCE-26828-4 Disable DCCP Support (RHEL 7)
I may be jumping the gun and not fully reading every bit of the CVE but is there an offline location URL to download the patch from? My RHEL Server is on a segregated network with no internet connectivity allowed and cannot utilize yum update to pull the patch directly from a repository.
Sure, in that case you can use following URL for RHEL 7: https://access.redhat.com/errata/RHSA-2017:0294 Modify it for other erratas mentioned above. And yes, you have to be logged in and have valid subscription.