logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

MSG_PEEK-is-more-common-than-you-think-CVE-2016-10229.md (2364B)

    

  1. ---
  2. date: 2017-04-13
  3. layout: post
  4. title: MSG_PEEK is pretty common, CVE-2016-10229 is worse than you think
  5. tags: [security]
  6. ---
  8. I heard about [CVE-2016-10229](https://nvd.nist.gov/vuln/detail/CVE-2016-10229)
  9. earlier today. In a nutshell, it allows for arbitrary code execution via UDP
  10. traffic if userspace programs are using `MSG_PEEK` in their `recv` calls. I
  11. quickly updated my kernels and rebooted any boxes where necessary, but when I
  12. read the discussions on this matter I saw people downplaying this issue by
  13. claiming `MSG_PEEK` is an obscure feature.
  15. I don't want to be a fear monger and I'm by no means a security expert but I
  16. suspect that this is a deeply incorrect conclusion. If I understand this
  17. vulnerability right you need to drop everything and update any servers running
  18. a kernel <4.5 *immediately*. `MSG_PEEK` allows a programmer using UDP to
  19. read from the kernel's UDP buffer without consuming the data (so subsequent
  20. reads will continue to read the same data). This immediately sounds to me like
  21. a pretty useful feature that a lot of software might use, not an obscure one.
  23. I did quick search for software where `MSG_PEEK` appears in the source code
  24. somewhere. This does not necessarily mean that it's exploitable, but should
  25. certainly raise red flags. Here's a list of some notable software I found:
  27. * nginx
  28. * haproxy
  29. * curl
  30. * gnutls
  31. * jack2
  32. * lynx
  33. * plex (and kodi/xbmc)
  34. * busybox
  36. I also found a few things like programming languages and networking libraries
  37. that you might expect to have MSG_PEEK if only to provide that functionality to
  38. programmers leveraging them. I didn't investigate too deeply into whether or not
  39. that was the case or if this software is using the feature in a less apparent
  40. way, but in this category I found Python, Ruby, Node.js, smalltalk, octave,
  41. libnl, and socat. I used searchcode.com to find these - [here's the full search
  42. results](https://searchcode.com/?q=MSG_PEEK).
  44. Again, I'm not a security expert, but I'm *definitely* spooked enough to update
  45. my shit and I suggest you do so as well. Red Hat, Debian, and Ubuntu are all
  46. unaffected because of the kernel they ship. Note, however, that many cloud
  47. providers do not let you choose your own kernel. This could mean that you are
  48. affected even if you're running a distribution like Debian. Double check it -
  49. use `uname -r` and update+reboot if necessary.