MSG_PEEK is pretty common, CVE-2016-10229 is worse than you think April 13, 2017 on Drew DeVault's blog

I heard about CVE-2016-10229 earlier today. In a nutshell, it allows for arbitrary code execution via UDP traffic if userspace programs are using MSG_PEEK in their recv calls. I quickly updated my kernels and rebooted any boxes where necessary, but when I read the discussions on this matter I saw people downplaying this issue by claiming MSG_PEEK is an obscure feature.

I don’t want to be a fear monger and I’m by no means a security expert but I suspect that this is a deeply incorrect conclusion. If I understand this vulnerability right you need to drop everything and update any servers running a kernel <4.5 immediately. MSG_PEEK allows a programmer using UDP to read from the kernel’s UDP buffer without consuming the data (so subsequent reads will continue to read the same data). This immediately sounds to me like a pretty useful feature that a lot of software might use, not an obscure one.

I did quick search for software where MSG_PEEK appears in the source code somewhere. This does not necessarily mean that it’s exploitable, but should certainly raise red flags. Here’s a list of some notable software I found:

I also found a few things like programming languages and networking libraries that you might expect to have MSG_PEEK if only to provide that functionality to programmers leveraging them. I didn’t investigate too deeply into whether or not that was the case or if this software is using the feature in a less apparent way, but in this category I found Python, Ruby, Node.js, smalltalk, octave, libnl, and socat. I used searchcode.com to find these - here’s the full search results.

Again, I’m not a security expert, but I’m definitely spooked enough to update my shit and I suggest you do so as well. Red Hat, Debian, and Ubuntu are all unaffected because of the kernel they ship. Note, however, that many cloud providers do not let you choose your own kernel. This could mean that you are affected even if you’re running a distribution like Debian. Double check it - use uname -r and update+reboot if necessary.

Have a comment on one of my posts? Start a discussion in my public inbox by sending an email to ~sircmpwn/public-inbox@lists.sr.ht [mailing list etiquette]

Articles from blogs I read Generated by openring

Site Redesign

Hey y’all! It’s been, gosh, what, ten years? I finally finished a total site redesign: all-new backend, HTML, CSS, modern image formats, etc. It’s finally readable on mobile now! There’s a lot of accumulated cruft in the database and filesystem–aphyr.com i…

via Aphyr: Posts March 28, 2021

What's cooking on SourceHut? March 2021

Hi! Another month of development has passed, and I’m here to fill you in on what’s new. Another 686 signups this month has brought us to 21,041 users. As always, I’ll be counting on you to make the new users feel at home, please be patient with them and help…

via Blogs on Sourcehut March 15, 2021

Status update, March 2021

Hi all! This month has been a little bit more quiet than others. I’ve spent a fair bit of time working on gamescope for Valve. As usual I’ve been fixing bugs and improving gamescope itself, but I’ve also worked on the rest of the ecosystem. I’m plumbing forma…

via emersion March 15, 2021