Kernel Race Condition in packet_set_ring leading to use-after-free - CVE-2016-8655

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise MRG 2

Issue

Red Hat Product Security has been made aware of a vulnerability in the Linux kernel that has been assigned CVE-2016-8655. This issue was publicly disclosed on December 6th, 2016 and has been rated as Important.

A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.

Resolution

This issue does affect Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2, but not in their default configurations. Future updates for the respective releases may address this issue. Red Hat Enterprise Linux 5 and 6 are not affected by this issue.

Root Cause

In order to exploit this issue the attacker needs CAP_NET_RAW capability, which needs to be granted by the administrator to the attacker's account. Since Red Hat Enterprise Linux 7 does not have unprivileged user namespaces enabled by default, local unprivileged users also cannot abuse namespaces to grant this capability to themselves and elevate their privileges.

Diagnostic Steps

TPACKET_V3 is part of PACKET socket interface for the Linux kernel. It is used in several capacities:

  • For packet capturing network traffic with utilities like tcpdump
  • Injecting network traffic

  • Anything that needs raw access to the network interface

  • To check to see what the current settings run the following command

    # getcap /usr/bin/* /usr/sbin/* | grep -i cap_net_raw

  • A default RHEL7 system should report back:

    /usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/dumpcap = cap_net_admin,cap_net_raw+ep
/usr/sbin/fping = cap_net_raw+ep
/usr/sbin/fping6 = cap_net_raw+ep
/usr/sbin/mtr = cap_net_raw+ep

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments