Allele Security Alert
ASA-2018-00066
Identifier(s)
ASA-2018-00066, CVE-2018-14646
Title
NULL pointer dereference in af_netlink.c:__netlink_ns_capable()
Vendor(s)
Linux foundation
Product(s)
Linux kernel
Affected version(s)
Linux kernel version before 4.15-rc8
Introduced by commit:
rtnetlink: use netnsid to query interface
https://github.com/torvalds/linux/commit/79e1ad148c844f5c8b9d76b36b26e3886dca95ae
Fixed version(s)
Linux kernel version 4.15-rc8
Proof of concept
Unknown
Description
The Linux kernel was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service.
Technical details
The function get_target_net() is used from two places: rtnl_dump_ifinfo() and rtnl_getlink(). In rtnl_getlink(), we give a request skb into get_target_net(), but in rtnl_dump_ifinfo, we give a response skb into get_target_net(). The problem here is that NETLINK_CB() isn’t initialized for the response skb.
Credits
Christian Brauner
Reference(s)
rtnetlink: give a user socket to get_target_net()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f428fe4a04cc339166c8bbd489789760de3a0cee
[PATCH v2] rtnetlink: give a user socket to get_target_net()
https://marc.info/?l=linux-netdev&m=151500466401174&w=2
Bug 1630124 – (CVE-2018-14646) CVE-2018-14646 kernel: NULL pointer dereference in af_netlink.c:__netlink_ns_capable() allows for denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14646
rtnetlink: use netnsid to query interface
https://github.com/torvalds/linux/commit/79e1ad148c844f5c8b9d76b36b26e3886dca95ae
CVE-2018-14646 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2018-14646
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14646.html
CVE-2018-14646
https://security-tracker.debian.org/tracker/CVE-2018-14646
CVE-2018-14646 | SUSE
https://www.suse.com/security/cve/CVE-2018-14646
CVE-2018-14646
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14646
CVE-2018-14646
https://nvd.nist.gov/vuln/detail/CVE-2018-14646
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 10, 2019