CVE-2014-4943

Отчет

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2. Please note that on Red Hat Enterprise Linux 6 pppol2tp module is not automatically loaded when AF_PPPOX/PX_PROTO_OL2TP socket is created as Red Hat Enterprise Linux 6 lacks upstream commit 9395a09d05a23bb and default modprobe configuration as shipped with module-init-tools package does not contain the alias for pppol2tp protocol either. As a result, pppol2tp module has to be explicitly enabled and/or loaded by the system administrator.

Меры по смягчению последствий

For Red Hat Enterprise Linux 6 do -- ]# echo "install pppol2tp /bin/true" > /etc/modprobe.d/pppol2tp.conf For Red Hat Enterprise Linux 7 do -- ]# echo "install l2tp_ppp /bin/true" > /etc/modprobe.d/l2t_pppp.conf Or, alternatively, when pppol2tp/l2tp_ppp module can't be blacklisted and needs to be loaded, you can use the following systemtap script --

1. On the host, save the following in a file with the ".stp" extension -- probe module("l2tp").function("pppol2tp_*etsockopt").call { $level = 273; }
2. Install the "systemtap" package and any required dependencies. Refer to the "2. Using SystemTap" chapter in the Red Hat Enterprise Linux 6 "SystemTap Beginners Guide" document, available from docs.redhat.com, for information on installing the required -debuginfo packages.
3. Run the "stap -g [filename-from-step-1].stp" command as root. If the host is rebooted, the changes will be lost and the script must be run again. Alternatively, build the systemtap script on a development system with "stap -g -p 4 [filename-from-step-1].stp", distribute the resulting kernel module to all affected systems, and run "staprun -L " on those. When using this approach only systemtap-runtime package is required on the affected systems. Please notice that the kernel version must be the same across all systems.