CVE-2017-7477 - heap overflow in macsec (802.1AE-2006)kernel module.
Environment
- Red Hat Enterprise Linux 7.3 version 3.10.0-514 and later.
In order to exploit this issue, the system needs to be manually configured by privileged user. The default Red Hat Enterprise Linux 7 configuration is not vulnerable.
Issue
A heap overflow flaw was found in the way the Linux kernel macsec implementation handled fragmented data coming from the network. A remote attacker could potentially use this flaw to escalate their privileges on the system.
Resolution
This fix is currently not released and mitigation steps should be taken. Most system will not be using macsec as it is a new feature only available in Red Hat Enterprise Linux 7.3 kernels. Red Hat recommends upgrading to the kernel to containing the fix when available.
Mitigation:
Red Hat recommends blacklisting the kernel module to prevent its use. This will prevent accidental version loading by administration and also mitigate the flaw if a kernel with the affected module is booted.
As the macsec module will be auto-loaded when required, its use can be disabled by preventing the module from loading with the following instructions:
# echo "install macsec /bin/true" >> /etc/modprobe.d/disable-macsec.conf
The system will need to be restarted if the macsec modules are loaded or in use. In most circumstances, the macsec kernel modules will be unable to be unloaded while any network interfaces are active and the protocol is in use.
If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.
Resources:
Youtube - MACsec: encryption for wired LANs - Sabrina Dubroca
IEEE Standards - IEEE 802®: LOCAL AND METROPOLITAN AREA NETWORK STANDARD
Patch introducing the flaw
Upstream patch #1
Upstream patch #2
Red Hat Developer Blog - Introducing macsec
Root Cause
Red Hat Product Security has rated this update as having a security impact of Important. Red Hat is not aware of this issue being exploited in the wild.
The flaw involves creating a situation in which data copied to the heap from a packet fragment list is of unexpected size and in-memory structures could be overwritten, possibly resulting in a crash or privilege escalation.
Diagnostic Steps
By default Red Hat does not enable macsec functionality and requires a privileged user ( with CAP_NETADMIN capability ) to configure the protocol. This functionality is new to Red Hat Enterprise Linux 7.3 and is not available for earlier releases.
Determine macsec usage
To determine if macsec is in use in this environment issue the command:
# find /sys/devices/virtual/net/ -name uevent -exec grep DEVTYPE=macsec {} \;
This will list the macsec devices in use on the system.
Determine Red Hat Enterprise Linux release
To find your Red Hat Enterprise Linux release issue the command:
cat /etc/redhat-release
Determine Kernel version
To find your kernel version issue the command
uname -a
Only Red Hat Enterprise Linux 7 kernel versions 3.10.0-574 and later are affected by this flaw.
Impacted Products
The following Red Hat product versions are impacted:
Red Hat Enterprise Linux 7
At this time only Red Hat Enterprise Linux 7 systems running the kernel versions 3.10.0-574 and later are known to be affected by this flaw.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments