{
  "threat_severity" : "Important",
  "public_date" : "2014-07-16T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: pppol2tp: level handling in pppol2tp_[s,g]etsockopt()",
    "id" : "1119458",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1119458"
  },
  "cvss" : {
    "cvss_base_score" : "7.2",
    "cvss_scoring_vector" : "AV:L/AC:L/Au:N/C:C/I:C/A:C",
    "status" : "verified"
  },
  "details" : [ "The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket.", "A flaw was found in the way the pppol2tp_setsockopt() and pppol2tp_getsockopt() functions in the Linux kernel's PPP over L2TP implementation handled requests with a non-SOL_PPPOL2TP socket option level. A local, unprivileged user could use this flaw to escalate their privileges on the system." ],
  "statement" : "This issue does not affect the Linux kernel packages as shipped with Red Hat\nEnterprise Linux 5 and Red Hat Enterprise MRG 2.\nPlease note that on Red Hat Enterprise Linux 6 pppol2tp module is not\nautomatically loaded when AF_PPPOX/PX_PROTO_OL2TP socket is created as\nRed Hat Enterprise Linux 6 lacks upstream commit 9395a09d05a23bb and default\nmodprobe configuration as shipped with module-init-tools package does not\ncontain the alias for pppol2tp protocol either. As a result, pppol2tp module\nhas to be explicitly enabled and/or loaded by the system administrator.",
  "acknowledgement" : "Red Hat would like to thank Sasha Levin for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2014-07-23T00:00:00Z",
    "advisory" : "RHSA-2014:0924",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "kernel-0:2.6.32-431.20.5.el6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6.2 Advanced Update Support",
    "release_date" : "2014-08-06T00:00:00Z",
    "advisory" : "RHSA-2014:1025",
    "cpe" : "cpe:/o:redhat:rhel_mission_critical:6.2",
    "package" : "kernel-0:2.6.32-220.54.1.el6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6.4 Extended Update Support",
    "release_date" : "2014-07-23T00:00:00Z",
    "advisory" : "RHSA-2014:0925",
    "cpe" : "cpe:/o:redhat:rhel_eus:6.4",
    "package" : "kernel-0:2.6.32-358.46.2.el6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2014-07-23T00:00:00Z",
    "advisory" : "RHSA-2014:0923",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "kernel-0:3.10.0-123.4.4.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise MRG 2",
    "fix_state" : "Not affected",
    "package_name" : "realtime-kernel",
    "cpe" : "cpe:/a:redhat:enterprise_mrg:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-4943\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-4943" ],
  "name" : "CVE-2014-4943",
  "mitigation" : {
    "value" : "For Red Hat Enterprise Linux 6 do --\n]# echo \"install pppol2tp /bin/true\" > /etc/modprobe.d/pppol2tp.conf\nFor Red Hat Enterprise Linux 7 do --\n]# echo \"install l2tp_ppp /bin/true\" > /etc/modprobe.d/l2t_pppp.conf\nOr, alternatively, when pppol2tp/l2tp_ppp module can't be blacklisted and needs\nto be loaded, you can use the following systemtap script --\n1) On the host, save the following in a file with the \".stp\" extension --\nprobe module(\"*l2tp*\").function(\"pppol2tp_*etsockopt\").call {\n$level = 273;\n}\n2) Install the \"systemtap\" package and any required dependencies. Refer to\nthe \"2. Using SystemTap\" chapter in the Red Hat Enterprise Linux 6\n\"SystemTap Beginners Guide\" document, available from docs.redhat.com, for\ninformation on installing the required -debuginfo packages.\n3) Run the \"stap -g [filename-from-step-1].stp\" command as root.\nIf the host is rebooted, the changes will be lost and the script must be\nrun again.\nAlternatively, build the systemtap script on a development system with\n\"stap -g -p 4 [filename-from-step-1].stp\", distribute the resulting kernel\nmodule to all affected systems, and run \"staprun -L <module>\" on those.\nWhen using this approach only systemtap-runtime package is required on the\naffected systems. Please notice that the kernel version must be the same across\nall systems.",
    "lang" : "en:us"
  },
  "csaw" : false
}