Use-after-free in the IPv6 implementation of the DCCP protocol in the Linux kernel - CVE-2017-6074

Updated -
Status
Resolved
Impact
Important

Red Hat Product Security has been made aware of a vulnerability affecting the Linux kernel's DCCP protocol IPV6 implementation.  The vulnerability has been assigned CVE-2017-6074.  This issue was publicly disclosed on 20-Feb-2017 and has been rated as Important.

Background Information

DCCP is a layer 4 (transport) protocol intended to allow programmers to control network congestion settings on the application layer.  This protocol is routable across the internet as it uses IP as its layer 3 (network) protocol.  Because of this, the protocol was designed to work over both IPV4 and IPV6 based systems.  This exploit explicitly uses IPV6 based DCCP connections.

DCCP uses an internal state machine to keep track of connections.  In this circumstance the DCCP state machine mishandles DCCP_PKT_REQUEST data structures while the socket is in the LISTEN state.  This allows a local user who can control both client and server on the same networked node to provide a "Use After Free" situation.  When a connection is established a data structure called skbuff is created per connection.  At the tail of skbuff is another struct called skb_shared_info, which in turn contains a ubuf_info struct.  This struct contains a function pointer that is to be called when the skb is to be cleaned up.  The error condition is that this ubuf_info struct's callback function was being called after the memory for the skbuff had been freed.  This allows an attacker to create a situation in which that memory can be overwritten with malicious instructions, abusing the function pointer value in the time between free and secondary misuse.

The attack requires both server and client running on the same system to ensure reference to the sk_shared_info struct is able to be referenced after it has been freed.

Acknowledgments

Red Hat would like to thank Andrey Konovalov for reporting and assisting with this issue.

Red Hat Product Security has rated this update as having a security impact of Important.

Impacted Products

The following Red Hat product versions are impacted:

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise MRG 2
  • Red Hat Openshift Online v2
  • Red Hat Virtualization (RHEV-H/RHV-H)
  • RHEL Atomic Host 

Attack Description and Impact

This flaw allows an attacker with an account on the local system to potentially elevate privileges. This class of flaw is commonly referred to as UAF (Use After Free.) Flaws of this nature are generally exploited by exercising a code path that accesses memory via a pointer that no longer references an in use allocation due to an earlier free() operation. In this specific issue, the flaw exists in the DCCP networking code and can be reached by a malicious actor with sufficient access to initiate a DCCP network connection on any local interface. Successful exploitation may result in crashing of the host kernel, potential execution of code in the context of the host kernel or other escalation of privilege by modifying kernel memory structures. An attacker must have access to a local account on the system; this is not a remote attack and requires IPV6 support to be enabled.

Diagnose your vulnerability


Determine if your system is vulnerable

Use the detection script below to determine if your system is currently vulnerable to this flaw.  To verify the legitimacy of the script, you can download the detached GPG signature as well.  The current version of the script is 1.2.

Take Action

All Red Hat customers running affected versions of the kernel are strongly recommended to update the kernel as soon as patches are  available. Details about impacted packages as well as recommended mitigation are noted below. A system reboot is required in order for the kernel update to be applied.

ProductPackageAdvisory
Red Hat Enterprise Linux 7kernelRHSA-2017:0294
Red Hat Enterprise Linux 7kernel-rtRHSA-2017:0295
Red Hat Enterprise Linux 7.2 Extended Update Support*kernelRHSA-2017:0501
Red Hat Enterprise Linux 7.1 Extended Update Support*kernelRHSA-2017:0403
Red Hat Enterprise Linux 6kernelRHSA-2017:0293
Red Hat Enterprise Linux 6.7 Extended Update Support*kernelRHSA-2017:0316
Red Hat Enterprise Linux 6.6 Advanced Update Support**kernelRHSA-2017:0324
Red Hat Enterprise Linux 6.5 Advanced Update Support**kernelRHSA-2017:0366
Red Hat Enterprise Linux 6.4 Advanced Update Support**kernelRHSA-2017:0345
Red Hat Enterprise Linux 6.2 Advanced Update Support***kernelRHSA-2017:0365
Red Hat Enterprise Linux 5kernelRHSA-2017:0323
Red Hat Enterprise Linux 5.9 Advanced Update Support**kernelRHSA-2017:0346
Red Hat Enterprise Linux 5.6 Advanced Update Support**kernelRHSA-2017:0347
RHEL Atomic HostkernelRespun 22Feb2017
Red Hat Enterprise MRG 2kernel-rtRHSA-2017:0932
Red Hat Virtualization (RHEV-H/RHV-H)kernelRHSA-2017:1209

Updates for Affected Products

*An active EUS subscription is required for access to this patch.

Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active EUS subscription.

What is the Red Hat Enterprise Linux Extended Update Support Subscription?

**An active AUS subscription is required for access to this patch in RHEL AUS.

Mitigation

The DCCP kernel  module will be automatically loaded when an application attempts to use the DCCP protocol.  This module can be prevented from being loaded by using the system-wide modprobe rules. The following command, run as root, will prevent accidental or intentional loading of the module.  Red Hat Product Security believe this method is a robust method to prevent accidental loading of the module, even by privileged users.

# echo "install dccp /bin/true">> /etc/modprobe.d/disable-dccp.conf


The system will need to be restarted if the DCCP modules are already loaded.  In most circumstances, the DCCP kernel modules will be unable to be unloaded if in use and while any network interfaces are active.

If further assistance is needed, see this KCS article ( https://access.redhat.com/solutions/41278 ) or contact Red Hat Global Support Services.

Additionally, the default targeted SELinux policy for fully up to date RHEL 6 and 7 systems will mitigate this flaw, as described within bugzilla details for CVE-2017-6074 .


Ansible Playbook

An Ansible  playbook is available.  This will mitigate the vulnerability in two steps: First, it performs a "fake install" to prevent the vulnerable DCCP module from loading by creating a blacklist file at /etc/modprobe.d/disable-dccp.conf . Then, if the DCCP module is already loaded into the running kernel, it will attempt to unload it. If it is unable to do so (because the module is in use by the kernel), it will *reboot the system*. With the blacklist file in place, this will ensure the module isn't loaded anymore. After a fixed package is available and installed, you can remove the file at /etc/modprobe.d/disable-dccp.conf if desired.

The playbook runs against a variable named HOSTS, and can be invoked as follows (assuming 'hostname' is defined in your inventory file): 

# ansible-playbook -e HOSTS=hostname mitigate-fixit.yml

 This playbook requires root privileges, so you may need to specify --become if it's not defined for 'hostname' in your inventory file.



Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

10 Comments

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

the script does not check if ipv6 is enabled or not, what if our environment disables ipv6? we should not be vulnerable to this, correct? also the script assumes the only way to mitigate is via selinux? is there any other way to mitigate other than selinux linux

Hi Walid,

On IPv6, having it disabled in the kernel does mitigate this issue. Merely not having an IPv6 interface does not suffice here.

The mitigation of disabling the dccp module is simpler to apply and equally, if not more effective.

Regards,

Gabe

according to this URL https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2013-02-05/finding/RHEL-06-000124 I can just disable DCCP if it is not required service and that is another way to mitigate the vulnerability.

Good morning, Yes Walaid Shaari - the method within the URL you listed to blacklist and disable the DCCP kernel module is the same method we published as a mitigation to prevent this issue. If you click on the resolve tab and scroll to the bottom half to mitigation section.

Regards, Cliff

thanks Cliff. I have noticed it now

Can Red Hat start putting their scripts (eg. Ansible remediation + check scripts) in publicly available git repositories?

It would be nice to be able to view the contents of these scripts without having to pull the down.

Posting our scripts to a git repo is something we certainly can look to do. I'll talk with our DevOps team (the folks that built the two provided scripts) and see what our options might be.

It should be noted that if you are hardening your RHEL servers there are CCE's for disabling DCCP, so this may already be mitigated in your deployment.

CCE-14268-7 Disable DCCP (RHEL 5)

CCE-26448-1 Disable DCCP Support (RHEL 6)

CCE-26828-4 Disable DCCP Support (RHEL 7)

I may be jumping the gun and not fully reading every bit of the CVE but is there an offline location URL to download the patch from? My RHEL Server is on a segregated network with no internet connectivity allowed and cannot utilize yum update to pull the patch directly from a repository.

Sure, in that case you can use following URL for RHEL 7: https://access.redhat.com/errata/RHSA-2017:0294 Modify it for other erratas mentioned above. And yes, you have to be logged in and have valid subscription.