CVE-2019-11815: The misinformation around this vulnerability and a brief analysis

I, and probably you, first read about this vulnerability on the bleepingcomputer article or a Reddit post linking to that article. The article stated that all Linux kernels prior to 5.0.8 are vulnerable to RCE. So, is a huge part of the internet now vulnerable? I started looking more into it.

CVE Details published that “An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.” As mentioned, the issue was on the net/rds/tcp.c file. And, it was patched on March 28, 2019.

RDS (Reliable Datagram Sockets) by default works over InfiniBand, can also be set to work over TCP/IP. The Linux kernel supports this with the rds_tcp module. To begin with, RDS over TCP is possible, only if the rds_tcp module is enabled. And no Linux distro enables rds_tcp module by default, maybe except for the one-offs. This significantly reduces the number of live computers vulnerable to this issue.

Now, let’s assume that an attacker has found a machine that is vulnerable to this bug. How exploitable is this issue? NIST website says 2.2/10. Let’s see if that score makes sense by checking the requirements for the machine to be exploitable.

Before starting, I highly recommend you to read the patch details here.

TL;DR
When the namespace in which the socket is operating gets cleared, the function rds_tcp_kill_sock() is being called. That function checks if the variable t_sock is NULL. If it is NULL, the worker continues. Eventually when the pointer ‘net’ is freed, but the worker is continuing, it leads to ‘net’ being used after freed.

A net namespace is an abstract of the original network stack with own routes, firewall rules, etc. You can learn more about network namespaces here. For the t_sock variable to be NULL, the underlying TCP connection of the socket should fail. In our scenario, where we are trying to exploit this, the connection should keep failing so that the t_sock variable remains NULL. Now, the attacker should clear the namespace, which is practically not possible without somehow convincing the user himself to do it. Then, again, the attacker should make the user connect to an RDS over TCP socket. Finally, the attacker will be able to leverage the freed up net pointer.

So, is this Remote Code Execution? Not in almost 99% of the cases. The chance of any machine having an RDS over TCP socket running inside a net namespace itself is very low, let alone all the difficulties in exploitability. So, there’s no need to panic by reading the bleepingcomputer article, unless you’re running such an application and you’re dumb. With that said, it is always recommended to use the latest and updated software 🙂

References

  1. /r/netsec discussion about CVE-2019-11815
  2. https://twitter.com/thracky/status/1128658350546223105
  3. https://github.com/torvalds/linux/blob/master/Documentation/networking/rds.txt
  4. https://github.com/torvalds/linux/commit/cb66ddd156203daefb8d71158036b27b0e2caf63
  5. https://linux.die.net/man/7/rds
  6. http://events17.linuxfoundation.org/sites/events/files/slides/rds.pdf