[LINK] Easy-to-exploit flaw in Linux kernel rated 'high risk'
Stephen Loosley
stephenloosley at zoho.com
Fri Sep 29 20:16:44 AEST 2017
Security Patch Alert
Easy-to-exploit flaw in Linux kernel rated 'high risk'
Urgent security triage needed
By John Leyden 28 Sep 2017 at 13:24
http://www.theregister.co.uk/2017/09/28/linux_kernel_vuln/
A flaw has been found in the way the Linux kernel loads ELF files.
If a malicious program is built as a Position Independent Executable (PIE), the loader can be exploited to map part of that application's data segment over the memory area reserved for its stack. This can result in memory corruption and possible local privilege escalation.
Red Hat and Debian are among Linux distros affected by the CVE-2017-1000253 vulnerability, which was discovered by cloud security firm Qualys.
Red Hat's advisory is here. https://access.redhat.com/security/cve/CVE-2017-1000253
Debian's list of affected releases – which have largely already been fixed – can be found here. https://security-tracker.debian.org/tracker/CVE-2017-1000253 Just run your usual package management tools to install the patched kernels and reboot.
Red Hat warned: "An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system."
This issue affects Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 6 as well as some older versions of Red Hat Enterprise Linux 7. Embedded systems running Red Hat may also need updating. The Linux distro rates attack complexity as "low" but impact "high" – always a bad combination.
The flaw represents a possible mechanism for a hacker or other malicious party to step up from a normal user to root – e.g. you get a shell as an ordinary user via a compromised web application or another internet-facing service, and then use the above bug to take full control of the box. It can also be abused by logged-in users to gain administrative access over the machine.
Patching is straightforward, in this case, but deployment is the "hard" part as it'll involve a reboot. The vulnerability is nasty but it'd be a whole lot worse if it were remotely triggered, kinda like ShellShock and its ilk. This flaw does not fall into that category, fortunately.
Sysadmins are nonetheless advised to review the security of their systems and patch or at least mitigate against the vulnerability at their earliest opportunity
More information about the Link
mailing list