Bug 1056051 – VUL-0: CVE-2017-13715: kernel: __skb_flow_dissect function in net/core/flow_dissector.c allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code

Bug 1056051 - (CVE-2017-13715) VUL-0: CVE-2017-13715: kernel: __skb_flow_dissect function in net/core/flow_dissector.c allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code

(CVE-2017-13715)
Summary:	VUL-0: CVE-2017-13715: kernel: __skb_flow_dissect function in net/core/flow_d...

Status:	RESOLVED INVALID

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Michal Marek
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/191093/
Whiteboard:	CVSSv3:RedHat:CVE-2017-13715:7.5:(AV...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-08-29 07:56 UTC by Alexander Bergmann
Modified:	2017-09-07 11:55 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2017-08-29 07:56:52 UTC

CVE-2017-13715

The __skb_flow_dissect function in net/core/flow_dissector.c in the
Linux kernel before 4.3 does not ensure that n_proto, ip_proto, and
thoff are initialized, which allows remote attackers to cause a denial
of service (system crash) or possibly execute arbitrary code via a
single crafted MPLS packet.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13715
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13715

Comment 1 Alexander Bergmann 2017-08-29 08:00:31 UTC

SLE-12 is already fixed. Please check SLE-11 and before.

Comment 2 Marcus Meissner 2017-08-29 10:42:44 UTC

https://github.com/torvalds/linux/commit/a6e544b0a88b53114bfa5a57e21b7be7a8dfc9d0

Comment 3 Marcus Meissner 2017-08-29 10:43:39 UTC

 From: Alexander Popov <alex.popov () linux com>
Date: Thu, 24 Aug 2017 17:52:45 +0300

Hello,

I was asked to investigate a suspicious kernel crash on some Linux
server. It is at least a remote DoS (and maybe RCE): Linux is crashed by
receiving a single special MPLS packet.

I bisected and found out that the bug was introduced in
commit b3baa0fbd02a1a9d493d8cb92ae4a4491b9e9d13
Author: Tom Herbert <tom () herbertland com>
Date:   Thu Jun 4 09:16:46 2015 -0700

And was later fixed it in
commit a6e544b0a88b53114bfa5a57e21b7be7a8dfc9d0
Author: Tom Herbert <tom () herbertland com>
Date:   Tue Sep 1 09:24:26 2015 -0700

So currently the mainline kernel is not affected.

However, this fix is obfuscated and looks like unimportant code
cleanup from the first glance. IMO that is not good. Moreover,
the fix is a part of a branch which breaks the kernel build, so
bisecting was not easy.

Actually the vulnerability is the usage of uninitialized variables. It
is caused by returning true without setting values for n_proto, ip_proto
and thoff in __skb_flow_dissect().

Is it worth requesting a CVE ID for that issue?

Best regards,
Alexander

Comment 4 Marcus Meissner 2017-08-29 10:44:36 UTC

b3baa0fbd02a1a9d493d8cb92ae4a4491b9e9d13 appeared in 4.2.

a6e544b0a88b53114bfa5a57e21b7be7a8dfc9d0 is in 4.3.

I think this excludes all our active maintained kernels unless we backported stuff.

Comment 5 Michal Marek 2017-09-07 11:55:24 UTC

Thanks for the analysis, Marcus. I can't find such backport in any of our branches, so closing.