View Issue Details

IDProjectCategoryView StatusLast Update
0015336CentOS-77.nextpublic2018-10-09 01:30
Reportera4651386 
PriorityhighSeveritycrashReproducibilityalways
Status closedResolutionno change required 
Product Version7.1-1503 
Target VersionFixed in Version 
Summary0015336: CentOS desktop remote denial of service about ipsec
DescriptionCan cause the remote memory of the centos desktop version to run out, I tested this problem with centos6.10 centos7.10, but the minimal installation version is not very obvious

And the strange thing is that when I tested ubuntu, there was no such problem. Basically, most kernel versions can cause this effect.
Author 360 ESG Codesafe Team luo quan
  罗权 360企业安全集团代码卫士团队
Steps To Reproduce1.Compile the kernel and start compiling options
 <*> IP:AH transformation
  <*> IP:ESP transformation
  <*> IP:IPComp transformation
  <*> IP:IPsec transport mode
  <*> IP:IPsec tunnel mode
  <*> IP:IPsec BEET mode
2.Modify the firewall or turn off the firewall to allow the ah protocol or the esp protocol to pass through the firewall.
3.Run ah_add on the target machine with root privileges, you need to modify the inet_addr("127.0.0.1") of line 101 of ah_add.c; it refers to the local address (the address of the target machine)
4,.Run ipip as an attacker with root privileges,Need to modify the source address and destination address in the main function, the destination address refers to the IP address of the target machine
5.Running the free command can obviously see the decline in the amount of memory remaining space.Finally, it may lead to deadlock, shutdown may be, the centos7 desktop version may be more obvious
Additional InformationAuthor 360 ESG Codesafe Team luo quan
  罗权 360企业安全集团代码卫士团队

I hope to get the cve number
TagsNo tags attached.
abrt_hash
URL

Activities

a4651386

a4651386

2018-10-01 04:08

reporter  

ah_add.c (3,742 bytes)
ipip.c (8,085 bytes)
a4651386

a4651386

2018-10-01 04:10

reporter   ~0032827

https://drive.google.com/file/d/1TmOuAV56JiLP_bTnCQIAFVemN9OoDlIa/view?usp=sharing

This is the test video of centos6.10
a4651386

a4651386

2018-10-08 02:05

reporter   ~0032870

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> [Suggested description]
> The Linux kernel 4.14.67 mishandles certain interaction among XFRM
> Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which
> allows local users to cause a denial of service (memory consumption
> and system hang) by leveraging root access to execute crafted
> applications, as demonstrated on CentOS 7.
>
> ------------------------------------------
>
> [Additional Information]
> ipsec Can cause the
> remote memory of the centos desktop version to run out, I tested this
> problem with centos6.10 centos7.10 , but the minimal installation
> version is not very obvious
>
> 1.Compile the kernel and start compiling options
> <*> IP:AH transformation
> <*> IP:ESP transformation
> <*> IP:IPComp transformation
> <*> IP:IPsec transport mode
> <*> IP:IPsec tunnel mode
> <*> IP:IPsec BEET mode
>
> 2.Modify the firewall or turn off the firewall to allow the ah
> protocol or the esp protocol to pass through the firewall. 3.Run
> ah_add on the target machine with root privileges, you need to modify
> the inet_addr("127.0.0.1") of line 101 of ah_add.c; it refers to the
> local address (the address of the target machine)
> https://drive.google.com/file/d/15aIxj_yupCcs7i14AIlE8U2ySfOyovnk/view
>
> 4,.Run ipip as an attacker with root privileges,Need to modify the
> source address and destination address in the main function, the
> destination address refers to the IP address of the target machine
> https://drive.google.com/file/d/1_dh_KX0JpJdoWQopN1KWORwJsQlah7Nv/view
>
> 5.Running the free command can obviously see the decline in the amount
> of memory remaining space.Finally, it may lead to deadlock, shutdown
> may be, the centos7 desktop version may be more obvious
>
> Can cause the remote memory of the centos desktop version to run out,
> I tested this problem with centos6.10 centos7.10, but the minimal
> installation version is not very obvious
>
> And the strange thing is that when I tested ubuntu, there was no such
> problem. Basically, most kernel versions can cause this effect.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Memory accumulation, memory application speed exceeds release speed, causing denial of service
>
> ------------------------------------------
>
> [Vendor of Product]
> CentOS desktop remote denial of service about ipsec
>
> ------------------------------------------
>
> [Affected Product Code Base]
> CentOS desktop - CentOS desktop6 CentOS desktop7
>
> ------------------------------------------
>
> [Affected Component]
> Can cause the remote memory of the centos desktop version to run out, I tested this problem with centos6.10 centos7.10,
> https://drive.google.com/file/d/1TmOuAV56JiLP_bTnCQIAFVemN9OoDlIa/view?usp=sharing
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> A packet attack opens a secure server that can cause a remote denial of service
>
> ------------------------------------------
>
> [Reference]
> https://drive.google.com/file/d/1TmOuAV56JiLP_bTnCQIAFVemN9OoDlIa/view?usp=sharing
> https://drive.google.com/file/d/1Mjr9Pu_dAjet2Bq_iWCEUIQkUtSTIBVK/view?usp=sharing
> https://drive.google.com/file/d/15aIxj_yupCcs7i14AIlE8U2ySfOyovnk/view
> https://drive.google.com/file/d/1_dh_KX0JpJdoWQopN1KWORwJsQlah7Nv/view
>
> ------------------------------------------
>
> [Discoverer]
> 360 ESG Codesafe Team luo quan

Use CVE-2018-17977.


- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJbtYkBAAoJEA2h+fVryJLoQQ8P/0q04KVv+s5Wg+FxY1TSm8Be
IWbLbWkQfk9PFC2CW6kheM0lEuC4TESEUQP6tLETLrFzPJOf2wQc2YJuUA2kFgil
18NMXDNKZ/x6w/qAPupID807oRKxlxTXs78X9aFNx6FonkdQAJGpf2OWTN/xIkkv
HWNhOXKWlsh799BQYBDl8haWGmJXv/6lPsDCLN2M/ZRhQKbK4Dbo6CZ+eXEbclGu
oSnsmAkK3w3J95rLD8/Y3p2eFnuOSPpBF7h4JC9ITU2nyCQvtjXpT7R2GVRsfv6G
2wFZIOUCsYVZA6dI9DZ+yOP7o22to/jws5cls4J89RdQqmf2ZzrgpMwQq9qVZDfh
b1Tr8iAtlCN8f1lvRbMziDLVDUnAPkG7xrcsQbR9pkPW6Ao3gG2hybGyB3sbkJKk
n8e/Q+t/2j5CfWjB5FnRRqcyJMqEiNTp5maslquoAPj2h8/+QxH4mc6ptjERGsQF
vGnkApEMdW1i9EjdceGcSE18rHashd6RCSsYG6Y2KqC033nGC2Pm9gU+z8EJhkLM
gxNHXKTF8KzqHgjFedLzZlEWqDP0FGfXZa2QTU5t/IZquEE9Vl0ROnQI+aYh8Il8
Rdzqy+FCvtcff5ArZs8yRRe9xqOUJjdkZ+IUgGTDWcd8utp1SvyynTVG0GBlqzgi
NPq6gDUCzVZad2D4iVq7
=xnI/
-----END PGP SIGNATURE-----
gerdesas

gerdesas

2018-10-09 01:27

manager   ~0032880

Last edited: 2018-10-09 01:29

View 2 revisions

The CentOS-6 release uses a highly patched 2.6.32 kernel and not the 4.14.67 release you cite in your report. To the best of my knowledge the kernel release you refer to was never offered by the project in any manner. Might I enquire as to where you got this kernel?

EDIT:

I just noticed this in your original report:

"1.Compile the kernel and start compiling options"

This is not a CentOS issue, this is an upstream kernel issue. The CVE you requested was done so inappropriately and was granted in error with no background research done which would have confirmed this was not a CentOS kernel.

I am closing this ticket.

Issue History

Date Modified Username Field Change
2018-10-01 04:08 a4651386 New Issue
2018-10-01 04:08 a4651386 File Added: ah_add.c
2018-10-01 04:08 a4651386 File Added: ipip.c
2018-10-01 04:10 a4651386 Note Added: 0032827
2018-10-08 02:05 a4651386 Note Added: 0032870
2018-10-09 01:27 gerdesas Note Added: 0032880
2018-10-09 01:29 gerdesas Note Edited: 0032880 View Revisions
2018-10-09 01:30 gerdesas Status new => closed
2018-10-09 01:30 gerdesas Resolution open => no change required