A vulnerability has been identified in the RDS protocol handler code based on TCP (Reliable Datagram Socket, net/rds/tcp.c) (), which can lead to an access to an already freed memory area and a denial of service (potentially, the possibility of exploiting the problem to organize code execution is not excluded). The problem is caused by a race condition that can occur when executing the rds_tcp_kill_sock function while clearing sockets for the network namespace.
Specification the problem is marked as being remotely operated over the network, but judging by the description , without a local presence in the system and manipulation with namespaces, it will not be possible to organize an attack remotely. In particular, according to developed by SUSE, the vulnerability is exploited only locally, the organization of the attack is rather complicated and requires additional privileges in the system. If in NVD the danger level is rated at 9.3 (CVSS v2) and 8.1 (CVSS v2) points, then according to the SUSE rating, the danger is rated at 6.4 points out of 10.
Ubuntu representatives also the danger of the problem as moderate. At the same time, in accordance with the CVSS v3.0 specification, the problem was assigned a high level of attack complexity and the possibility of exploitation was set to only 2.2 points out of 10.
Judging by from Cisco, the vulnerability is exploited remotely by sending TCP packets to working network services and there is already a prototype exploit. To what extent this information corresponds to reality is not yet clear, perhaps the report only artistically framed NVD's assumptions. By VulDB exploit has not yet been created and the problem is only exploited locally.
The problem manifests itself in kernels prior to 5.0.8 and is blocked by the March , included in the 5.0.8 kernel. In most distributions, the problem remains unresolved (, , , ). Hotfix released for SLE12 SP3, openSUSE 42.3 and .
Source: opennet.ru