Allele Security Alert
ASA-2019-00123
Identifier(s)
ASA-2019-00123, CVE-2019-9162
Title
Out-of-bounds read and write in SNMP NAT module
Vendor(s)
Linux foundation
Product(s)
Linux kernel
Affected version(s)
Linux kernel versions before 5.0
Linux kernel versions 4.20.x before 4.20.12
Linux kernel versions 4.19.x before 4.19.25
Linux kernel versions 4.14.x before 4.14.103
Linux kernel versions since the following commit:
netfilter: nf_nat_snmp_basic: use asn1 decoder library
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cc2d58634e0f489d28b5564c05abc69930b4d920
Fixed version(s)
Linux kernel version 5.0
Linux kernel version 4.20.12
Linux kernel version 4.19.25
Linux kernel version 4.14.103
Linux kernel versions with the following commit applied:
netfilter: nf_nat_snmp_basic: add missing length checks in ASN.1 cbs
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc
Proof of concept
Yes
Description
It was found that there are insufficient ASN.1 sequence length checks (a.k.a. an array index error) in the Linux kernel in the snmp_version() and snmp_helper() functions in the net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the [nf_nat_snmp_basic] module making out-of-bounds read and write operations possible. An unprivileged local attacker can use this flaw to cause a kernel OOPS condition and thus a denial of service (DoS). Due to the nature of the flaw, an attack from the network or privilege escalation cannot be fully ruled out.
Technical details
The commit cc2d58634e0f (“netfilter: nf_nat_snmp_basic: use asn1 decoder library”, first in 4.16) changed the nf_nat_snmp_basic module (which, when enabled, parses and modifies the ASN.1-encoded payloads of SNMP messages) so that the kernel’s ASN.1 infrastructure is used instead of an open-coded parser. The common ASN.1 decoder can invoke callbacks when certain objects are encountered. The SNMP helper has two such callbacks defined in nf_nat_snmp_basic.asn1:
– For the `version` field of a `Message` (a `INTEGER`), snmp_version() is invoked.
– For each `IpAddress` (according to RFC 1155, a 4-byte octet string), snmp_helper() is invoked.
These callbacks contain the following code:
int snmp_version(void *context, size_t hdrlen, unsigned char tag, const void *data, size_t datalen)
{
if (*(unsigned char *)data > 1)
return -ENOTSUPP;
return 1;
}
int snmp_helper(void *context, size_t hdrlen, unsigned char tag, const void *data, size_t datalen)
{
struct snmp_ctx *ctx = (struct snmp_ctx *)context;
__be32 *pdata = (__be32 *)data;
if (*pdata == ctx->from) {
pr_debug("%s: %pI4 to %pI4\n", __func__,
(void *)&ctx->from, (void *)&ctx->to);
if (*ctx->check)
fast_csum(ctx, (unsigned char *)data - ctx->begin);
*pdata = ctx->to;
}
return 1;
}
The problem is that both of these callbacks can be invoked by the ASN.1 parser with `data` pointing at the end of the packet and `datalen==0` (even though, for the `INTEGER` type, X.690 says in section 8.3.1 that “The contents octets shall consist of one or more octets”), but they don’t check whether there is sufficient input available. This means that snmp_version() can read up to one byte out-of-bounds and leak whether that byte was <=1, and snmp_helper() can read and potentially also write up to four bytes out-of-bounds.
There are two scenarios in which this bug might be attacked:
- A router that performs NAT translation is explicitly set up to invoke the SNMP helper, and a device in the NATted network wants to attack the router. This is probably very rare, since the router would need to be explicitly configured to perform SNMP translation. On top of that, to corrupt memory, an attacker would need to be able to completely fill an SKB; it isn’t clear to me whether that is possible remotely.
- A local attacker could exploit the bug by setting up new network namespaces with an iptables configuration that invokes SNMP translation. This probably works as a local privilege escalation against some distribution kernels. The normal autoloading path for this code was only set up in commit 95c97998aa9f (“netfilter: nf_nat_snmp_basic: add missing helper alias name”, first in 4.20), but from a glance, it looks like it would be possible on kernels before 4.20 to instead first load one of the openvswitch module’s aliases “net-pf-16-proto-16-family-ovs_*” through ctrl_getfamily(), then use ovs_ct_add_helper() to trigger loading of “nf_nat_snmp_basic” through the alias “ip_nat_snmp_basic”.
Credits
Jann Horn (Google Project Zero)
Reference(s)
Issue 1776: Linux: out-of-bounds read and write in SNMP NAT module
https://bugs.chromium.org/p/project-zero/issues/detail?id=1776
Linux kernel: OOB R/W in SNMP NAT module (CVE-2019-9162); virtual address 0 mappable (CVE-2019-9213)
https://seclists.org/oss-sec/2019/q1/166
netfilter: nf_nat_snmp_basic: add missing length checks in ASN.1 cbs
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc
netfilter: nf_nat_snmp_basic: use asn1 decoder library
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cc2d58634e0f489d28b5564c05abc69930b4d920
netfilter: nf_nat_snmp_basic: add missing length checks in ASN.1 cbs
https://github.com/torvalds/linux/commit/c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc
netfilter: nf_nat_snmp_basic: use asn1 decoder library
https://github.com/torvalds/linux/commit/cc2d58634e0f489d28b5564c05abc69930b4d920
Linux 5.0
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0
Linux 4.20.12
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.12
Linux 4.14.103
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.103
Linux 4.19.25
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.25
CVE-2019-9162 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-9162
CVE-2019-9162
https://security-tracker.debian.org/tracker/CVE-2019-9162
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9162.html
CVE-2019-9162 | SUSE
https://www.suse.com/security/cve/CVE-2019-9162
CVE-2019-9162
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9162
CVE-2019-9162
https://nvd.nist.gov/vuln/detail/CVE-2019-9162
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 29, 2019