Описание
Heap-based buffer overflow in drivers/net/macsec.c in the MACsec module in the Linux kernel through 4.10.12 allows attackers to cause a denial of service or possibly have unspecified other impact by leveraging the use of a MAX_SKB_FRAGS+1 size in conjunction with the NETIF_F_FRAGLIST feature, leading to an error in the skb_to_sgvec function.
A flaw was found in the way Linux kernel allocates heap memory to build the scattergather list from a fragment list(skb_shinfo(skb)->frag_list) in the socket buffer(skb_buff). The heap overflow occurred if 'MAX_SKB_FRAGS + 1' parameter and 'NETIF_F_FRAGLIST' feature are both used together. A remote user or process could use this flaw to potentially escalate their privilege on a system.
Отчет
This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2. This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 starting with the version kernel-3.10.0-514.el7, that is with Red Hat Enterprise Linux 7.3 GA. Prior Red Hat Enterprise Linux 7 kernel versions are not affected. In order to exploit this issue, the system needs to be manually configured by privileged user. The default Red Hat Enterprise Linux 7 configuration is not vulnerable.
Меры по смягчению последствий
Red Hat recommends blacklisting the kernel module to prevent its use. This will prevent accidental version loading by administration and also mitigate the flaw if a kernel with the affected module is booted. As the macsec module will be auto-loaded when required, its use can be disabled by preventing the module from loading with the following instructions: Raw
echo "install macsec /bin/true" >> /etc/modprobe.d/disable-macsec.conf
If macsec functionality is in use as a functional part of the system a kernel upgrade is required.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | kernel | Not affected | ||
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise MRG 2 | realtime-kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Fixed | RHSA-2017:1616 | 28.06.2017 |
| Red Hat Enterprise Linux 7 | kernel | Fixed | RHSA-2017:1615 | 28.06.2017 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
Heap-based buffer overflow in drivers/net/macsec.c in the MACsec module in the Linux kernel through 4.10.12 allows attackers to cause a denial of service or possibly have unspecified other impact by leveraging the use of a MAX_SKB_FRAGS+1 size in conjunction with the NETIF_F_FRAGLIST feature, leading to an error in the skb_to_sgvec function.
Heap-based buffer overflow in drivers/net/macsec.c in the MACsec module in the Linux kernel through 4.10.12 allows attackers to cause a denial of service or possibly have unspecified other impact by leveraging the use of a MAX_SKB_FRAGS+1 size in conjunction with the NETIF_F_FRAGLIST feature, leading to an error in the skb_to_sgvec function.
Heap-based buffer overflow in drivers/net/macsec.c in the MACsec modul ...
Heap-based buffer overflow in drivers/net/macsec.c in the MACsec module in the Linux kernel through 4.10.12 allows attackers to cause a denial of service or possibly have unspecified other impact by leveraging the use of a MAX_SKB_FRAGS+1 size in conjunction with the NETIF_F_FRAGLIST feature, leading to an error in the skb_to_sgvec function.
Уязвимость операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании или оказать другое воздействие
EPSS
8.1 High
CVSS3