[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE-2021-20177 kernel: iptables string match rule could result in kernel panic
From: Philip Pettersson <philip.pettersson () gmail ! com>
Date: 2021-01-12 16:40:41
Message-ID: CAHQ_-nSbZpFA7rqYD3OfqROuzXd_J2UXmYiGkpBFgESCxxMrxQ () mail ! gmail ! com
[Download RAW message or body]
On Tue, Jan 12, 2021 at 8:06 AM Sasha Levin <sashal@kernel.org> wrote:
>
> On Tue, Jan 12, 2021 at 03:23:16PM +0000, John Haxby wrote:
> >> On 12 Jan 2021, at 08:04, Greg KH <greg@kroah.com> wrote:
> >>
> >> I still do not understand why you report issues that are fixed over a
> >> year ago (October 2019) and assign them a CVE like this. Who does thi=
s
> >> help out? And what about the thousands of other issues that are fixed
> >> in the kernel and not assigned a CVE like this, are they somehow not a=
s
> >> important to your group?
> >>
> >> What determines what you want to give a CVE to and what you do not?
> >
> >
> >I think I can answer that. There's nothing technical going on here, it=
's down to the behaviour of the end users of enterprise systems.
> >
> >A lot of those people have a hard time understanding that they do actual=
ly want bug fixes and an even harder time understanding that they need to a=
ctually do something to install those fixes. (I was once asked if I could=
fix a problem without changing anything, anything at all when the fix was =
a one-off chmod.) A CVE number gets attention: think of it as getting hol=
d of the customer by the lapels and going nose-to-nose to explain in words =
of one syllable they if they don't update their systems that they will cras=
h and they will get hacked.
> >
> >Ooh, no, they say, we can't possibly take the risk of updating our syste=
ms. Suppose something goes wrong? Sheesh. Suppose, instead, someone co=
mes along and sees a known, fixed bug is unfixed and uses that to trash you=
r systems. Or that you've got a bug that crashes the machine once a week=
for which there's a fix. But, no, apparently the mythical risk of a test=
ed update vs the actual quantifiable risk of leaving the bug unfixed is so =
great that they'd rather take the real, quantifiable risk. I suppose that=
's understandable, after a fashion, even though actual regressions are quit=
e rare.
> >
> >If you present a customer with a CVE number (with or without a score) th=
en they have SLAs which will ensure that that fix gets applied.
>
> The subject of this thread is a "vulnerability" that requires root to
> exploit and was fixed ages ago.
I didn't take a look at this specific bug very closely, but on certain
distributions (Ubuntu etc) it has been possible to get CAP_NET_ADMIN
in your own network namespace for years. An unprivileged user can
become root with all capabilities in their own user/network namespace
and modify local iptables rules. On Redhat systems you still need
root.
Philip
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic