CVE-2019-25045

Отчет

This flaw is rated as having a Moderate impact because in the default configuration, the issue can only be triggered by a privileged local user. For the all versions of the Red Hat Enterprise Linux 8 the fix already applied, so not affected. For the Red Hat Enterprise Linux 7 the vulnerability not actual too, and it is known that XFRM subsystem vulnerabilities requires CAP_NET_ADMIN capability. In order to exploit this issue the attacker needs CAP_NET_ADMIN capability, which needs to be granted especially by the administrator to the attacker's process. This in turn requires granting CAP_NET_ADMIN capability to the process' binary and/or attacker's account. Another possibility to obtain CAP_NET_ADMIN capability in Red Hat Enterprise Linux 7 for an attacker is running a process inside a user+network namespace with mapped root privileges inside the namespace. Since Red Hat Enterprise Linux 7 does not have unprivileged user namespaces enabled by default, local or remote unprivileged users also cannot abuse namespaces to grant this capability to themselves and elevate their privileges.