Use-after-free in the IPv6 implementation of the DCCP protocol in the Linux kernel - CVE-2017-6074
Updated
Red Hat Product Security has been made aware of a vulnerability affecting the Linux kernel's DCCP protocol IPV6 implementation. The vulnerability has been assigned CVE-2017-6074. This issue was publicly disclosed on 20-Feb-2017 and has been rated as Important.
Background Information
DCCP is a layer 4 (transport) protocol intended to allow programmers to control network congestion settings on the application layer. This protocol is routable across the internet as it uses IP as its layer 3 (network) protocol. Because of this, the protocol was designed to work over both IPV4 and IPV6 based systems. This exploit explicitly uses IPV6 based DCCP connections.
DCCP uses an internal state machine to keep track of connections. In this circumstance the DCCP state machine mishandles DCCP_PKT_REQUEST data structures while the socket is in the LISTEN state. This allows a local user who can control both client and server on the same networked node to provide a "Use After Free" situation. When a connection is established a data structure called skbuff is created per connection. At the tail of skbuff is another struct called skb_shared_info, which in turn contains a ubuf_info struct. This struct contains a function pointer that is to be called when the skb is to be cleaned up. The error condition is that this ubuf_info struct's callback function was being called after the memory for the skbuff had been freed. This allows an attacker to create a situation in which that memory can be overwritten with malicious instructions, abusing the function pointer value in the time between free and secondary misuse.
The attack requires both server and client running on the same system to ensure reference to the sk_shared_info struct is able to be referenced after it has been freed.
Acknowledgments
Red Hat would like to thank Andrey Konovalov for reporting and assisting with this issue.
Red Hat Product Security has rated this update as having a security impact of Important.
Impacted Products
The following Red Hat product versions are impacted:
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat Enterprise MRG 2
- Red Hat Openshift Online v2
- Red Hat Virtualization (RHEV-H/RHV-H)
- RHEL Atomic Host
Attack Description and Impact
This flaw allows an attacker with an account on the local system to potentially elevate privileges. This class of flaw is commonly referred to as UAF (Use After Free.) Flaws of this nature are generally exploited by exercising a code path that accesses memory via a pointer that no longer references an in use allocation due to an earlier free() operation. In this specific issue, the flaw exists in the DCCP networking code and can be reached by a malicious actor with sufficient access to initiate a DCCP network connection on any local interface. Successful exploitation may result in crashing of the host kernel, potential execution of code in the context of the host kernel or other escalation of privilege by modifying kernel memory structures. An attacker must have access to a local account on the system; this is not a remote attack and requires IPV6 support to be enabled.
Diagnose your vulnerability
Take Action
All Red Hat customers running affected versions of the kernel are strongly recommended to update the kernel as soon as patches are available. Details about impacted packages as well as recommended mitigation are noted below. A system reboot is required in order for the kernel update to be applied.
| Product | Package | Advisory |
|---|---|---|
| Red Hat Enterprise Linux 7 | kernel | RHSA-2017:0294 |
| Red Hat Enterprise Linux 7 | kernel-rt | RHSA-2017:0295 |
| Red Hat Enterprise Linux 7.2 Extended Update Support* | kernel | RHSA-2017:0501 |
| Red Hat Enterprise Linux 7.1 Extended Update Support* | kernel | RHSA-2017:0403 |
| Red Hat Enterprise Linux 6 | kernel | RHSA-2017:0293 |
| Red Hat Enterprise Linux 6.7 Extended Update Support* | kernel | RHSA-2017:0316 |
| Red Hat Enterprise Linux 6.6 Advanced Update Support** | kernel | RHSA-2017:0324 |
| Red Hat Enterprise Linux 6.5 Advanced Update Support** | kernel | RHSA-2017:0366 |
| Red Hat Enterprise Linux 6.4 Advanced Update Support** | kernel | RHSA-2017:0345 |
| Red Hat Enterprise Linux 6.2 Advanced Update Support*** | kernel | RHSA-2017:0365 |
| Red Hat Enterprise Linux 5 | kernel | RHSA-2017:0323 |
| Red Hat Enterprise Linux 5.9 Advanced Update Support** | kernel | RHSA-2017:0346 |
| Red Hat Enterprise Linux 5.6 Advanced Update Support** | kernel | RHSA-2017:0347 |
| RHEL Atomic Host | kernel | Respun 22Feb2017 |
| Red Hat Enterprise MRG 2 | kernel-rt | RHSA-2017:0932 |
| Red Hat Virtualization (RHEV-H/RHV-H) | kernel | RHSA-2017:1209 |
Updates for Affected Products
*An active EUS subscription is required for access to this patch.
Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active EUS subscription.
What is the Red Hat Enterprise Linux Extended Update Support Subscription?
**An active AUS subscription is required for access to this patch in RHEL AUS.
Mitigation
The DCCP kernel module will be automatically loaded when an application attempts to use the DCCP protocol. This module can be prevented from being loaded by using the system-wide modprobe rules. The following command, run as root, will prevent accidental or intentional loading of the module. Red Hat Product Security believe this method is a robust method to prevent accidental loading of the module, even by privileged users.
# echo "install dccp /bin/true">> /etc/modprobe.d/disable-dccp.conf
The system will need to be restarted if the DCCP modules are already loaded. In most circumstances, the DCCP kernel modules will be unable to be unloaded if in use and while any network interfaces are active.
If further assistance is needed, see this KCS article ( https://access.redhat.com/solutions/41278 ) or contact Red Hat Global Support Services.
Additionally, the default targeted SELinux policy for fully up to date RHEL 6 and 7 systems will mitigate this flaw, as described within bugzilla details for CVE-2017-6074 .
Ansible Playbook
An Ansible playbook is available. This will mitigate the vulnerability in two steps: First, it performs a "fake install" to prevent the vulnerable DCCP module from loading by creating a blacklist file at /etc/modprobe.d/disable-dccp.conf . Then, if the DCCP module is already loaded into the running kernel, it will attempt to unload it. If it is unable to do so (because the module is in use by the kernel), it will *reboot the system*. With the blacklist file in place, this will ensure the module isn't loaded anymore. After a fixed package is available and installed, you can remove the file at /etc/modprobe.d/disable-dccp.conf if desired.
The playbook runs against a variable named HOSTS, and can be invoked as follows (assuming 'hostname' is defined in your inventory file):
# ansible-playbook -e HOSTS=hostname mitigate-fixit.yml
This playbook requires root privileges, so you may need to specify --become if it's not defined for 'hostname' in your inventory file.
Comments