MSG_PEEK is pretty common, CVE-2016-10229 is worse than you think
source link: https://drewdevault.com/2017/04/13/MSG_PEEK-is-more-common-than-you-think-CVE-2016-10229.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
MSG_PEEK is pretty common, CVE-2016-10229 is worse than you think April 13, 2017 on Drew DeVault's blog
I heard about CVE-2016-10229
earlier today. In a nutshell, it allows for arbitrary code execution via UDP
traffic if userspace programs are using MSG_PEEK in their recv calls. I
quickly updated my kernels and rebooted any boxes where necessary, but when I
read the discussions on this matter I saw people downplaying this issue by
claiming MSG_PEEK is an obscure feature.
I don’t want to be a fear monger and I’m by no means a security expert but I
suspect that this is a deeply incorrect conclusion. If I understand this
vulnerability right you need to drop everything and update any servers running
a kernel <4.5 immediately. MSG_PEEK allows a programmer using UDP to
read from the kernel’s UDP buffer without consuming the data (so subsequent
reads will continue to read the same data). This immediately sounds to me like
a pretty useful feature that a lot of software might use, not an obscure one.
I did quick search for software where MSG_PEEK appears in the source code
somewhere. This does not necessarily mean that it’s exploitable, but should
certainly raise red flags. Here’s a list of some notable software I found:
- nginx
- haproxy
- gnutls
- jack2
- plex (and kodi/xbmc)
- busybox
I also found a few things like programming languages and networking libraries that you might expect to have MSG_PEEK if only to provide that functionality to programmers leveraging them. I didn’t investigate too deeply into whether or not that was the case or if this software is using the feature in a less apparent way, but in this category I found Python, Ruby, Node.js, smalltalk, octave, libnl, and socat. I used searchcode.com to find these - here’s the full search results.
Again, I’m not a security expert, but I’m definitely spooked enough to update
my shit and I suggest you do so as well. Red Hat, Debian, and Ubuntu are all
unaffected because of the kernel they ship. Note, however, that many cloud
providers do not let you choose your own kernel. This could mean that you are
affected even if you’re running a distribution like Debian. Double check it -
use uname -r and update+reboot if necessary.
Have a comment on one of my posts? Start a discussion in my public inbox by sending an email to ~sircmpwn/[email protected] [mailing list etiquette]
Articles from blogs I read Generated by openring
Go on ARM and Beyond
The industry is abuzz about non-x86 processors recently, so we thought it would be worth a brief post about Go’s support for them. It has always been important to us for Go to be portable, not overfitting to any particular operating sys…
via The Go Programming Language Blog December 17, 2020Status update, December 2020
Hi all! This status update is the 24th one, so it’s been 2 years I’ve started writing those now (ignoring a little hiatus). Time flies! This month I’ve invested a lot of time into wlroots. My main focus has been renderer v6, which has now been internally rol…
via emersion December 16, 2020What's cooking on Sourcehut? December 2020
A brisk wind of winter chill sets a stir down my spine, as I sit down with a fresh cup of coffee to yarn a story of careful engineering and passionate spirit that took place over the course of 30 days. The last 30 days. Cause this is the monthly “what’s cook…
via Blogs on Sourcehut December 15, 2020Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK