A flaw was found in the way Linux kernel allocates heap memory to build the scattergather list from a fragment list(skb_shinfo(skb)->frag_list) in the socket buffer(skb_buff). The heap overflow occurred if 'MAX_SKB_FRAGS + 1' parameter and 'NETIF_F_FRAGLIST' feature are both used together. A remote user or process could use this flaw to potentially escalate their privilege on a system.
Find out more about CVE-2017-7477 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.
This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 starting with the version kernel-3.10.0-514.el7, that is with Red Hat Enterprise Linux 7.3 GA. Prior Red Hat Enterprise Linux 7 kernel versions are not affected.
In order to exploit this issue, the system needs to be manually configured by privileged user. The default Red Hat Enterprise Linux 7 configuration is not vulnerable.
CVSS3 Base Score | 8.1 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Attack Vector | Network |
Attack Complexity | High |
Privileges Required | None |
User Interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity Impact | High |
Availability Impact | High |
Platform | Errata | Release Date |
---|---|---|
Red Hat Enterprise Linux 7 (kernel) | RHSA-2017:1615 | 2017-06-28 |
Red Hat Enterprise Linux for Real Time for NFV (v. 7) (kernel-rt) | RHSA-2017:1616 | 2017-06-28 |
Platform | Package | State |
---|---|---|
Red Hat Enterprise MRG 2 | realtime-kernel | Not affected |
Red Hat Enterprise Linux 6 | kernel | Not affected |
Red Hat Enterprise Linux 5 | kernel | Not affected |
Red Hat recommends blacklisting the kernel module to prevent its use. This will prevent accidental version loading by administration and also mitigate the flaw if a kernel with the affected module is booted.
As the macsec module will be auto-loaded when required, its use can be disabled by preventing the module from loading with the following instructions:
Raw
# echo "install macsec /bin/true" >> /etc/modprobe.d/disable-macsec.conf
If macsec functionality is in use as a functional part of the system a kernel upgrade is required.