606246 – (CVE-2017-0386) dev-libs/libnl: Privilege escalation due to insufficient data checks in nla_reserve and nla_put

Bug 606246 (CVE-2017-0386) - dev-libs/libnl: Privilege escalation due to insufficient data checks in nla_reserve and nla_put

Summary: dev-libs/libnl: Privilege escalation due to insufficient data checks in nla_r...

Status:	RESOLVED INVALID

Alias:	CVE-2017-0386

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B2 [upstream/ebuild/cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-01-18 11:41 UTC by Agostino Sarubbo
Modified:	2017-04-29 05:13 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2017-0553
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2017-01-18 11:41:20 UTC

From ${URL} :

An elevation of privilege vulnerability in the libnl library could enable a
local malicious application to execute arbitrary code within the context of a
privileged process.

References:

https://android.googlesource.com/platform/external/libnl/+/f0b40192efd1af977564ed6335d42a8bbdaf650a
https://github.com/thom311/libnl/issues/124
https://github.com/thom311/libnl/commit/c473d59f972c35c5a7363d52ee6ee1e0792de0f8


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2017-01-18 17:20:30 UTC


The Red Hat bug doesn't actually explain how passing invalid arguments could trigger a privilege escalation. Upstream is puzzled[1][2] as to why that got dropped in their lap and has added[3] a simple sanity check for negative values of `attrlen`, noting that users of libnl functions should validate input to libnl to begin with.

[1] https://github.com/thom311/libnl/issues/124#issuecomment-273442865
[2] https://github.com/thom311/libnl/issues/124#issuecomment-273528100
[3] https://github.com/thom311/libnl/commit/c473d59f972c35c5a7363d52ee6ee1e0792de0f8

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev

2017-01-18 17:22:43 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=1414304 points to https://bugzilla.redhat.com/show_bug.cgi?id=1414309 ("Access denied").

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2017-01-18 17:26:06 UTC

I guess there might be a kernel bug that Red Hat is trying to mitigate by doing a sanity check in libnl. But if I can execute malicious code on a system that relies on libnl passing a negative attrlen to the kernel, and libnl is patched to prevent that, then nothing stops me from linking my code against a "vulnerable" version of libnl and avoid the patched libnl.

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2017-01-29 21:39:02 UTC

And now there is [1] which refers to [2] which both _still_ don't explain how using a negative length that shouldn't be negative in a function argument could ever (directly) lead to a privilege elevation.

It specifically states that the problem is in Android, so maybe Android was allowing its apps to use libnl functions without checking their input, but Red Hat probably wasn't and shouldn't have worried. Can we move on, now?


[1] https://access.redhat.com/security/cve/CVE-2017-0386
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0386