Minor flaw found in Linux's RDS implementation

From LinuxReviews
Jump to navigationJump to search

The Linux kernel was quietly patched with a fix in it's RDS implementation in version 5.0.8 and since there's a minor chance this could, in theory, be used to do a Denial of Service attack on a server it is now assigned CVE-2019-11815. Hysterical security blogger story is that

"Linux systems running kernels prior to 5.0.8 require patching after news emerged of a high-severity flaw that could be remotely exploited."

some opinionated "security" expert on the Internet

The first obvious question to when considering the security implications is: What is RDS?. It is "The Reliable Datagram Sockets Protocol". It is a protocol developed by Oracle corporation for low-latency interconnects using InfiniBand. In other words: It's for a rather specialized purpose. You can use RDS over TCP too but RDS over TCP does not support RDMA - which makes it pointless.

The kernel module which had the minor problem referred to as CVE-2019-11815 is the rds_tcp module for doing RDS over TCP. Nobody does that. It should also be mentioned that nobody outside of a perhaps hand-full of Oracle customers is using RDS at all these days.

RHEL 7 and 8 and also CentOS do not have kernel with the rds_tcp module built. Earlier RHEL versions had but they are fine sine the problem in question was introduced with git commit bdf5bd7f21323493dbe5f2c723dc33f2fbb0241a.

The Ubuntu and Fedora distributions do build the module for some reason but do not load it by default. They also do not include any user-space tool that would try to use the module in the default installation.

Who such be such afraid, then?

If you are among the really rare users of this module for some reason then there is a slight chance that someone with a very high bandwidth connection to your machine - meaning someone on the same Local Area Network - could trigger a crash on your system after weeks of trying.

If you are using an old kernel and you are worried that something would randomly load this module then blacklisting it is possible: echo 'blacklist rds_tcp' > /etc/modprobe.d/blacklist_rds.conf

(or just eradicate the module from your system with rm /lib/modules/*/extra/net/rds/rds_tcp.ko.xz, you will never need it)

Should you upgrade your kernel?

If you have a Intel CPU and you haven't upgraded your kernel lately then you should probably do that for other reasons. You should also consider it if you are among the 0.000001% who is actually using the rds_tcp module. This whole "big security flaw" is overblown and doesn't really affect anyone.

published 2019-05-19last edited 2019-06-17

(0 votes)

Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.