Does CVE-2022-1012 affects CentOS7.9?

Support for security such as Firewalls and securing linux
Post Reply
takushi1969
Posts: 3
Joined: 2022/09/09 02:15:52

Does CVE-2022-1012 affects CentOS7.9?

Post by takushi1969 » 2022/09/09 03:21:19

Hello, gurus!

I wonder if CVE-2022-1012 affects CentOS7.9.

RedHat expressed that RHEL7 is affected in CVE-2022-1012 on RedHat Customer Portal

The Kernel github said that a hash generated by siphash has vulnerability when it is used as 32bit, which is casted down from 64bit.

So I checked source of secure_ipv4_port_ephemeral, which is a target function to be revised for CVE-2022-1012, includied in the kernel 3.10.0-1160.el7 for CentOS7.9, then there is no use of siphash, although the latest one uses siphash instead of md5transform.

I already know there is another vulnerability about source port generating algorithm, by which attacker could guess the port easily, on secure_ipv4_port_ephemeral function on CentOS7, becase CentOS7 uses algorithm3 described in Transport Protocol Port Randomization Recommendations.

Code snip
u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
{
u32 hash[MD5_DIGEST_WORDS];

net_secret_init();
hash[0] = (__force u32)saddr;
hash[1] = (__force u32)daddr;
hash[2] = (__force u32)dport ^ net_secret[14];
hash[3] = net_secret[15];

md5_transform(hash, net_secret);

return hash[0];
}

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: Does CVE-2022-1012 affects CentOS7.9?

Post by tunk » 2022/09/09 12:21:52

According your linked page it says "will not fix" for RHEL7.
Since C7 is a rebuild of RHEL7, I guess the same applies.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Does CVE-2022-1012 affects CentOS7.9?

Post by TrevorH » 2022/09/09 12:57:34

This flaw is not able to be repaired in Red Hat Enterprise Linux 7
CentOS 7 is a rebuild of RHEL 7 source so the same applies.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

takushi1969
Posts: 3
Joined: 2022/09/09 02:15:52

Re: Does CVE-2022-1012 affects CentOS7.9?

Post by takushi1969 » 2022/09/13 05:47:10

Thank you for your replies.

I guess that CentOS7 may not meet the prerequisite for CVE-2022-1012.
Because CentOS7 does not use ``siphash'' in ``secure_ipv4_port_ephemeral'', but the prerequisite for CVE-2022-1012 is to use ``siphash'' in ``secure_ipv4_port_ephemeral'' according by my understanding of the patch.

So is the judge of vulnerability of CVE-2022-1012 for RHEL7 by RedHat proper if RHEL7's code is the same with CentOS7's one?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Does CVE-2022-1012 affects CentOS7.9?

Post by jlehtone » 2022/09/13 06:57:43

How do you know that:
takushi1969 wrote:
2022/09/13 05:47:10
CentOS7 does not use ``siphash'' in ``secure_ipv4_port_ephemeral''
If RH says that RHEL 7 is affected, it is not possible to fix the code, and there is no mitigation,
then CentOS 7 is affected and will not get a fix.

takushi1969
Posts: 3
Joined: 2022/09/09 02:15:52

Re: Does CVE-2022-1012 affects CentOS7.9?

Post by takushi1969 » 2022/09/13 07:53:39

Hi,
jlehtone wrote:
2022/09/13 06:57:43
How do you know that:
takushi1969 wrote:
2022/09/13 05:47:10
CentOS7 does not use ``siphash'' in ``secure_ipv4_port_ephemeral''
I read source:net/core/secure_seq.c including ``secure_ipv4_port_ephemeral'' definition, which is included in kernel source deployed at vault.centos.org.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Does CVE-2022-1012 affects CentOS7.9?

Post by jlehtone » 2022/09/13 14:30:15

The code ought to be same, so ...
takushi1969 wrote:
2022/09/13 05:47:10
So is the judge of vulnerability of CVE-2022-1012 for RHEL7 by RedHat proper if RHEL7's code is the same with CentOS7's one?
... you have to ask from Red Hat.

Post Reply