Ubuntu
linux package

xt_TCPMSS buffer overflow bug

Bug #1739765 reported by Denys Fedoryshchenko
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Bug was reported in LKML here: https://lkml.org/lkml/2017/4/2/13
In few words - corrupted packet might be used to modify memory at router who has xt_TCPMSS used as iptables action.
This is really nasty bug, and can be triggered remotely by malicious person on anything that usually use this iptables action (PPPoE/PPTP-enabled ISP or VPN provider, for example).
This bug existed for several years, i guess.
I waited for a while since April, as it's already pushed to stable, and probably all distributions have it updated, so now it's time to do bugreport, to make sure it is really fixed everywhere.
Maybe worth to assign CVE for it?

CVE References

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Denys,

Are fixes for this bug available?
Did you discover this bug?
Have you, or someone else, filed for a CVE for this issue yet?

Thanks

affects: kernel-package (Ubuntu) → linux (Ubuntu)
information type: Private Security → Public Security
Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Denys Fedoryshchenko (nuclearcat) wrote :

Yes, already queued by Eric Dumazet in all stable since report in April
http://patchwork.ozlabs.org/patch/746618/

Yes, i did, but troubleshooting done and fix issued by Eric Dumazet.
Also there is chance exist that someone used it for malicious purposes "in wild" at that moment, as it appeared at peak time on ISP, in specific network with many users, while exactly same setup on other locations didn't had this issue. That was reason to enable KASAN and to search for it.

No CVE as far as i know, i just don't know how to do that. Not sure if Eric or netfilter developers (for example Pablo Neira Ayuso) filled anything.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Denys, I've asked MITRE for a CVE number for this issue.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Use CVE-2017-18017.

Thanks

Revision history for this message
Denys Fedoryshchenko (nuclearcat) wrote :

Perfect! Thanks a lot, now i have big reason to ask some sysadmins and vendors to upgrade their kernels.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Steve Beattie (sbeattie) wrote :

Sorry, the kernel commit to fix this didn't pick up the launchpad bug number, so this bug didn't get auto-closed. It's been addressed in all Ubuntu releases e.g. https://usn.ubuntu.com/usn/usn-3583-1/ .
You can see the state at https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18017.html.

Thanks again for the report!

Changed in linux (Ubuntu):
status: Expired → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.