ASA-2020-00039 – Linux kernel: SELinux netlink permission check bypass due to SELinux incorrectly assume that an skb would only contain a single netlink message

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2020-00039

Identifier(s)

ASA-2020-00039, CVE-2020-10751

Title

SELinux netlink permission check bypass due to SELinux incorrectly assume that an skb would only contain a single netlink message

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel 5.6.x before version 5.6.11
Linux kernel 5.4.x before version 5.4.39
Linux kernel 4.19.x before version 4.19.121
Linux kernel 4.14.x before version 4.14.179
Linux kernel 4.9.x before version 4.9.222
Linux kernel 4.4.x before version 4.4.222

Fixed version(s)

Linux kernel version 5.6.11
Linux kernel version 5.4.39
Linux kernel version 4.19.121
Linux kernel version 4.14.179
Linux kernel version 4.9.222
Linux kernel version 4.4.222

Linux kernel versions since the following commit:

selinux: properly handle multiple messages in selinux_netlink_send()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fb73974172ffaaf57a7c42f35424d9aece1a5af6

Proof of concept

Unknown

Description

A flaw was found in the Linux kernels SELinux LSM hook implementation, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.

Technical details

Unknown

Credits

Dmitry Vyukov

Reference(s)

selinux: properly handle multiple messages in selinux_netlink_send()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fb73974172ffaaf57a7c42f35424d9aece1a5af6

selinux: properly handle multiple messages in selinux_netlink_send()
https://github.com/torvalds/linux/commit/fb73974172ffaaf57a7c42f35424d9aece1a5af6

Linux kernel SELinux/netlink missing access check
https://www.openwall.com/lists/oss-security/2020/04/30/5

selinux_netlink_send changes program behavior
https://lore.kernel.org/selinux/CACT4Y+YTi4JCFRqOB9rgA22S+6xxTo87X41hj6Tdfro8K3ef7g@mail.gmail.com/

Linux 5.6.11
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.11

Linux 5.4.39
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.39

Linux 4.19.121
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.121

Linux 4.14.179
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.179

Linux 4.9.222
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.222

Linux 4.4.222
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.222

CVE-2020-10751 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2020-10751

CVE-2020-10751
https://security-tracker.debian.org/tracker/CVE-2020-10751

CVE-2020-10751 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10751.html

CVE-2020-10751 | SUSE
https://www.suse.com/security/cve/CVE-2020-10751

CVE-2020-10751
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10751

CVE-2020-10751
https://nvd.nist.gov/vuln/detail/CVE-2020-10751

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: May 26, 2020

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.