duda vulnerabilidad en Linux kernel: CVE-2017-6074: DCCP double-free vulnerabili

Iniciado por j0s3x002, 23 Febrero 2017, 12:55 PM

0 Miembros y 1 Visitante están viendo este tema.

j0s3x002

Hola a t2! ;-)

Estoy investigando sobre la vulnerabilidad que afecta al kernel de Linux: CVE-2017-6074, concretamente afecta si el el kernel es construido con CONFIG_IP_DCCP para que la vulnerabilidad esté presente. Muchas de las distribuciones modernas permiten esta opción por defecto.

La duda es saber si mi sistema está afectado por esta vulnerabilidad.

Desconozco la forma de saber si mi distro está construido con CONFIG_IP_DCCP, y tampoco localizo el fichero /net/dccp/input.c .

Esta es la versión de mi sistema y los ficheros que tengo relacionados con dccp son:

Red Hat Enterprise Linux Server release 6.6 (Santiago)

# locate dccp
/lib/modules/2.6.32-504.el6.x86_64/kernel/net/dccp
/lib/modules/2.6.32-504.el6.x86_64/kernel/net/dccp/dccp.ko
/lib/modules/2.6.32-504.el6.x86_64/kernel/net/dccp/dccp_diag.ko
/lib/modules/2.6.32-504.el6.x86_64/kernel/net/dccp/dccp_ipv4.ko
/lib/modules/2.6.32-504.el6.x86_64/kernel/net/dccp/dccp_ipv6.ko
/lib/modules/2.6.32-504.el6.x86_64/kernel/net/dccp/dccp_probe.ko
/lib/modules/2.6.32-504.el6.x86_64/kernel/net/ipv4/netfilter/nf_nat_proto_dccp.ko
/lib/modules/2.6.32-504.el6.x86_64/kernel/net/netfilter/nf_conntrack_proto_dccp.ko
/lib/modules/2.6.32-504.el6.x86_64/kernel/net/netfilter/xt_dccp.ko
/lib/modules/2.6.32-642.6.1.el6.x86_64/kernel/net/dccp
/lib/modules/2.6.32-642.6.1.el6.x86_64/kernel/net/dccp/dccp.ko
/lib/modules/2.6.32-642.6.1.el6.x86_64/kernel/net/dccp/dccp_diag.ko
/lib/modules/2.6.32-642.6.1.el6.x86_64/kernel/net/dccp/dccp_ipv4.ko
/lib/modules/2.6.32-642.6.1.el6.x86_64/kernel/net/dccp/dccp_ipv6.ko
/lib/modules/2.6.32-642.6.1.el6.x86_64/kernel/net/dccp/dccp_probe.ko
/lib/modules/2.6.32-642.6.1.el6.x86_64/kernel/net/ipv4/netfilter/nf_nat_proto_dccp.ko
/lib/modules/2.6.32-642.6.1.el6.x86_64/kernel/net/netfilter/nf_conntrack_proto_dccp.ko
/lib/modules/2.6.32-642.6.1.el6.x86_64/kernel/net/netfilter/xt_dccp.ko
/lib/modules/2.6.32-642.6.2.el6.x86_64/kernel/net/dccp
/lib/modules/2.6.32-642.6.2.el6.x86_64/kernel/net/dccp/dccp.ko
/lib/modules/2.6.32-642.6.2.el6.x86_64/kernel/net/dccp/dccp_diag.ko
/lib/modules/2.6.32-642.6.2.el6.x86_64/kernel/net/dccp/dccp_ipv4.ko
/lib/modules/2.6.32-642.6.2.el6.x86_64/kernel/net/dccp/dccp_ipv6.ko
/lib/modules/2.6.32-642.6.2.el6.x86_64/kernel/net/dccp/dccp_probe.ko
/lib/modules/2.6.32-642.6.2.el6.x86_64/kernel/net/ipv4/netfilter/nf_nat_proto_dccp.ko
/lib/modules/2.6.32-642.6.2.el6.x86_64/kernel/net/netfilter/nf_conntrack_proto_dccp.ko
/lib/modules/2.6.32-642.6.2.el6.x86_64/kernel/net/netfilter/xt_dccp.ko
/lib64/xtables/libxt_dccp.so
/lib64/xtables-1.4.7/libxt_dccp.so
/usr/include/linux/dccp.h
/usr/include/linux/netfilter/xt_dccp.h
/usr/src/kernels/2.6.32-504.el6.x86_64/include/config/inet/dccp
/usr/src/kernels/2.6.32-504.el6.x86_64/include/config/inet/dccp/diag.h
/usr/src/kernels/2.6.32-504.el6.x86_64/include/config/ip/dccp
/usr/src/kernels/2.6.32-504.el6.x86_64/include/config/ip/dccp.h
/usr/src/kernels/2.6.32-504.el6.x86_64/include/config/ip/dccp/ccid3
/usr/src/kernels/2.6.32-504.el6.x86_64/include/config/ip/dccp/ccid3.h
/usr/src/kernels/2.6.32-504.el6.x86_64/include/config/ip/dccp/tfrc
/usr/src/kernels/2.6.32-504.el6.x86_64/include/config/ip/dccp/ccid3/rto.h
/usr/src/kernels/2.6.32-504.el6.x86_64/include/config/ip/dccp/tfrc/lib.h
/usr/src/kernels/2.6.32-504.el6.x86_64/include/config/net/dccpprobe.h
/usr/src/kernels/2.6.32-504.el6.x86_64/include/config/netfilter/xt/match/dccp.h
/usr/src/kernels/2.6.32-504.el6.x86_64/include/config/nf/ct/proto/dccp.h
/usr/src/kernels/2.6.32-504.el6.x86_64/include/config/nf/nat/proto/dccp.h
/usr/src/kernels/2.6.32-504.el6.x86_64/include/linux/dccp.h
/usr/src/kernels/2.6.32-504.el6.x86_64/include/linux/netfilter/nf_conntrack_dccp.h
/usr/src/kernels/2.6.32-504.el6.x86_64/include/linux/netfilter/xt_dccp.h
/usr/src/kernels/2.6.32-504.el6.x86_64/include/net/netns/dccp.h
/usr/src/kernels/2.6.32-504.el6.x86_64/net/dccp
/usr/src/kernels/2.6.32-504.el6.x86_64/net/dccp/Kconfig
/usr/src/kernels/2.6.32-504.el6.x86_64/net/dccp/Makefile
/usr/src/kernels/2.6.32-504.el6.x86_64/net/dccp/ccids
/usr/src/kernels/2.6.32-504.el6.x86_64/net/dccp/ccids/Kconfig
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/config/inet/dccp
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/config/inet/dccp/diag.h
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/config/ip/dccp
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/config/ip/dccp.h
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/config/ip/dccp/ccid3
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/config/ip/dccp/ccid3.h
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/config/ip/dccp/tfrc
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/config/ip/dccp/ccid3/rto.h
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/config/ip/dccp/tfrc/lib.h
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/config/net/dccpprobe.h
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/config/netfilter/xt/match/dccp.h
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/config/nf/ct/proto/dccp.h
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/config/nf/nat/proto/dccp.h
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/linux/dccp.h
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/linux/netfilter/nf_conntrack_dccp.h
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/linux/netfilter/xt_dccp.h
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/include/net/netns/dccp.h
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/net/dccp
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/net/dccp/Kconfig
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/net/dccp/Makefile
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/net/dccp/ccids
/usr/src/kernels/2.6.32-642.6.1.el6.x86_64/net/dccp/ccids/Kconfig
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/config/inet/dccp
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/config/inet/dccp/diag.h
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/config/ip/dccp
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/config/ip/dccp.h
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/config/ip/dccp/ccid3
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/config/ip/dccp/ccid3.h
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/config/ip/dccp/tfrc
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/config/ip/dccp/ccid3/rto.h
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/config/ip/dccp/tfrc/lib.h
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/config/net/dccpprobe.h
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/config/netfilter/xt/match/dccp.h
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/config/nf/ct/proto/dccp.h
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/config/nf/nat/proto/dccp.h
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/linux/dccp.h
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/linux/netfilter/nf_conntrack_dccp.h
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/linux/netfilter/xt_dccp.h
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/include/net/netns/dccp.h
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/net/dccp
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/net/dccp/Kconfig
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/net/dccp/Makefile
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/net/dccp/ccids
/usr/src/kernels/2.6.32-642.6.2.el6.x86_64/net/dccp/ccids/Kconfig

Veo mención a dccp, pero desconozco si mi sistema está usandolo y si tengo afectación para saber si necesito aplicar el parche facilitado por Red Hat.

Alguien por aquí que me pueda aportar algo de ayuda?

muchas gracias de antemano, salu2

MCKSys Argentina

Citar
This issue affects Red Hat Enterprise Linux 5, 6, 7, and Red Hat Enterprise MRG 2 kernels.

Source: https://access.redhat.com/security/cve/CVE-2017-6074

Saludos!
MCKSys Argentina

"Si piensas que algo está bien sólo porque todo el mundo lo cree, no estás pensando."


j0s3x002

he estado revisando el enlace a la info de red hat, gracias MCKSys por el aporte. ;-)

Os muestro la salida del script de evaluación de si es el sistema es vulnerable:

This script is primarily designed to detect CVE-2017-6074 on supported
RHEL systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Detected kernel package is '2.6.32-642.6.2.el6.x86_64'.
This kernel version is vulnerable.
Either update kernel package or apply mitigation (SELinux on RHEL6 and RHEL7 or disable DCCP loading).
Follow https://access.redhat.com/security/vulnerabilities/2934281 for advice.


Finalmente, he conseguido saber que no tengo cargado el módulo, pero por la salida del script, veo que Red hat indica que la versión del kernel es vulnerable e INTERPRETO que recomienda deshabilitar DCCP aunque no lo tengas cargado, por lo que salvo que lo haya interpretado mal, tengo que aplicar la mitigación o actualizar la versión del kernel.

Entiendo que si no fuera necesario realizar ninguna acción, hubieran añadido un checkeo adicional para indicarlo en el script, no creéis?

Alguien más lo interpreta así??  Salu2    ;-)