ID CVE-2016-3707
Summary The icmp_check_sysrq function in net/ipv4/icmp.c in the kernel.org projects/rt patches for the Linux kernel, as used in the kernel-rt package before 3.10.0-327.22.1 in Red Hat Enterprise Linux for Real Time 7 and other products, allows remote attackers to execute SysRq commands via crafted ICMP Echo Request packets, as demonstrated by a brute-force attack to discover a cookie, or an attack that occurs after reading the local icmp_echo_sysrq file.
References
Vulnerable Configurations
  • cpe:2.3:o:redhat:enterprise_linux_for_real_time_for_nfv:7
    cpe:2.3:o:redhat:enterprise_linux_for_real_time_for_nfv:7
  • cpe:2.3:o:redhat:enterprise_linux_for_real_time:7
    cpe:2.3:o:redhat:enterprise_linux_for_real_time:7
  • Linux Kernel-rt 3.10.0
    cpe:2.3:o:linux:linux_kernel-rt:3.10.0
  • cpe:2.3:o:novell:suse_linux_enterprise_real_time_extension:12.0:sp1
    cpe:2.3:o:novell:suse_linux_enterprise_real_time_extension:12.0:sp1
CVSS
Base: 6.8 (as of 24-08-2016 - 10:02)
Impact:
Exploitability:
CWE CWE-284
CAPEC
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-1341.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise MRG 2.5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt package contain the Linux kernel, the core of any Linux operating system. This update provides a build of the kernel-rt package for Red Hat Enterprise MRG 2.5 that is layered on Red Hat Enterprise Linux 6, and provides a number of bug fixes including : * [netdrv] ixgbevf: fix spoofed packets with random MAC and use ether_addr_copy instead of memcpy * [mm] mmu_notifier: fix memory corruption * [mm] hugetlbfs: optimize when NUMA=n * [mm] optimize put_mems_allowed() usage * [x86] mm: suitable memory should go to ZONE_MOVABLE * [fs] xfs: fix splice/direct-IO deadlock * [acpi] tables: Add acpi_subtable_proc to ACPI table parsers * [acpi] table: Add new function to get table entries * [net] ipv6: Nonlocal bind * [net] ipv4: bind ip_nonlocal_bind to current netns (BZ#1332298) Security Fix(es) : * A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system. (CVE-2016-4565, Important) * A race condition flaw was found in the way the Linux kernel's SCTP implementation handled sctp_accept() during the processing of heartbeat timeout events. A remote attacker could use this flaw to prevent further connections to be accepted by the SCTP server running on the system, resulting in a denial of service. (CVE-2015-8767, Moderate) * A flaw was found in the way the realtime kernel processed specially crafted ICMP echo requests. A remote attacker could use this flaw to trigger a sysrql function based on values in the ICMP packet, allowing them to remotely restart the system. Note that this feature is not enabled by default and requires elevated privileges to be configured. (CVE-2016-3707, Moderate) Red Hat would like to thank Jann Horn for reporting CVE-2016-4565. Bug Fix(es) : * An oops can occur in the hpsa driver while submitting ioaccel2 commands when the phys_disk pointer is NULL (in hpsa_scsi_ioaccel_raid_map). Configuration changes during I/O operations could set the phys_disk pointer to NULL. In this case, send the command down the RAID path for correct processing, avoiding the oops. (BZ#1334260) * A faulty code merge left an extra spin_lock operation in the function fscache_invalidate_write(). The code has been correctly updated to remove this extra lock operation, which avoids a potential deadlock situation when looping through cache pages. (BZ#1327730)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91872
    published 2016-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91872
    title RHEL 6 : MRG (RHSA-2016:1341)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-1301.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. The following packages have been upgraded to a newer upstream version: kernel-rt (3.10.0-327.22.1). This version provides a number of bug fixes and enhancements, including : * [netdrv] ixgbevf: fix spoofed packets with random MAC and use ether_addr_copy instead of memcpy * [mm] mmu_notifier: fix memory corruption * [mm] hugetlbfs: optimize when NUMA=n * [mm] optimize put_mems_allowed() usage * [x86] mm: suitable memory should go to ZONE_MOVABLE * [fs] xfs: fix splice/direct-IO deadlock * [acpi] tables: Add acpi_subtable_proc to ACPI table parsers * [acpi] table: Add new function to get table entries * [net] ipv6: Nonlocal bind * [net] ipv4: bind ip_nonlocal_bind to current netns (BZ#1335747) Security Fix(es) : * A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system. (CVE-2016-4565, Important) * A race condition flaw was found in the way the Linux kernel's SCTP implementation handled sctp_accept() during the processing of heartbeat timeout events. A remote attacker could use this flaw to prevent further connections to be accepted by the SCTP server running on the system, resulting in a denial of service. (CVE-2015-8767, Moderate) * A flaw was found in the way the realtime kernel processed specially crafted ICMP echo requests. A remote attacker could use this flaw to trigger a sysrql function based on values in the ICMP packet, allowing them to remotely restart the system. Note that this feature is not enabled by default and requires elevated privileges to be configured. (CVE-2016-3707, Moderate) Red Hat would like to thank Jann Horn for reporting CVE-2016-4565. Bug Fix(es) : * Previously, configuration changes to the Hewlett Packard Smart Array (HPSA) driver during I/O operations could set the phys_disk pointer to NULL. Consequently, kernel oops could occur while the HPSA driver was submitting ioaccel2 commands. An upstream patch has been provided to fix this bug, and the oops in the hpsa_scsi_ioaccel_raid_map() function no longer occurs. (BZ#1335411) * In a previous code update one extra spin_lock operation was left untouched. Consequently, a deadlock could occur when looping through cache pages. With this update, the extra lock operation has been removed from the source code and the deadlock no longer occurs in the described situation. (BZ#1327073)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91805
    published 2016-06-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91805
    title RHEL 7 : kernel-rt (RHSA-2016:1301)
redhat via4
advisories
  • rhsa
    id RHSA-2016:1301
  • rhsa
    id RHSA-2016:1341
rpms
  • kernel-rt-0:3.10.0-327.22.2.rt56.230.el7_2
  • kernel-rt-debug-0:3.10.0-327.22.2.rt56.230.el7_2
  • kernel-rt-debug-devel-0:3.10.0-327.22.2.rt56.230.el7_2
  • kernel-rt-debug-kvm-0:3.10.0-327.22.2.rt56.230.el7_2
  • kernel-rt-devel-0:3.10.0-327.22.2.rt56.230.el7_2
  • kernel-rt-doc-0:3.10.0-327.22.2.rt56.230.el7_2
  • kernel-rt-kvm-0:3.10.0-327.22.2.rt56.230.el7_2
  • kernel-rt-trace-0:3.10.0-327.22.2.rt56.230.el7_2
  • kernel-rt-trace-devel-0:3.10.0-327.22.2.rt56.230.el7_2
  • kernel-rt-trace-kvm-0:3.10.0-327.22.2.rt56.230.el7_2
refmap via4
confirm https://bugzilla.redhat.com/show_bug.cgi?id=1327484
mlist [oss-security] 20160517 CVE-2016-3707 : kernel-rt - Sending SysRq command via ICMP echo request
suse
  • SUSE-SU-2016:1764
  • SUSE-SU-2016:1937
  • SUSE-SU-2016:1985
Last major update 28-11-2016 - 15:12
Published 27-06-2016 - 06:59
Back to Top