11-Year Old Linux Kernel Vulnerability Could Result In Privilege Escalation (Here's How To Fix It)

Image: Wikipedia

A newly found Linux kernel security vulnerability dates back to 2005 and could potentially be exploited for kernel code execution and local privilege escalation. The flaw affects a number of distributions including Red Hat, Debian, OpenSUSE, SUSE and Ubuntu. Here's how to patch this flaw on your Linux systems.

The high priority vulnerability (CVE-2017-6074) concerns the Datagram Congestion Control Protocol (DCCP), which is enabled on a number of modern Linux distributions. It's a double free (that can be turned into a use-after-free) bug and allows a local unprivileged user (any user that doesn’t have root access) to tamper with the Linux kernel memory. According to Canonical, which manages Ubuntu: "A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative [root] privileges."

You can find a technical description of the vulnerability by Andrey Konovalov, the security researcher who discovered it, here.

The vulnerability was first reported by The Hacker News.

How To Fix This On Your Linux Machine

The mainline Linux kernel has been patched so you could apply the patch and rebuild the kernel yourself, but that's more for advanced users.

Patches for different distributions should trickle through soon. Here are the update statuses for major distributions that have been affected:

Ubuntu

The bug affects a number of Ubuntu versions. You can see the fill list here.

Patches are available for some versions. You can update your system by running the sudo apt-get update sudo apt-get dist-upgrade in the terminal, applying the changes and rebooting your machine. But be aware:

Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically perform this as well.

For those who are waiting for a patch, you can use this workaround:

blacklist the dccp ipv[46] autoloading aliases by adding the following lines to /etc/modprobe.d/blacklist-dccp.conf:

alias net-pf-2-proto-0-type-6 off

alias net-pf-2-proto-33-type-6 off

alias net-pf-10-proto-0-type-6 off

alias net-pf-10-proto-33-type-6 off

OpenSUSE

An update that fixes a handful of vulnerabilities, including CVE-2017-6074, is now available. It appears only openSUSE Leap 42.1 is affected.

Here are the patch instructions:

To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:

- openSUSE Leap 42.1: zypper in -t patch openSUSE-2017-287=1

To bring your system up-to-date, use "zypper patch".

SUSE

Only SUSE Linux Enterprise Server 10 is affected. Customers with a current long term service pack support (LTSS) contract can contact SUSE for a program temporary fix (PTF). PTFs are not distributed as repositories but as plain HTTP directories and require the download of the packages, best done through wget. You can find detailed instructions here.

Red Hat

The bug affects Red Hat Enterprise Linux 5, 6, 7, and Red Hat Enterprise MRG 2 kernels. Red Hat has scheduled to fix this in the next update for all of them.

In the meantime, the company has released this workaround:

Recent versions of Selinux policy can mitigate this exploit. The steps below will work with SElinux enabled or disabled.

As the DCCP module will be auto loaded when required, its use can be disabled by preventing the module from loading with the following instructions. # echo "install dccp /bin/true" >> /etc/modprobe.d/disable-dccp.conf

The system will need to be restarted if the dccp modules are loaded. In most circumstances the dccp kernel modules will be unable to be unloaded while any network interfaces are active and the protocol is in use.

Debian

Debian has released fixes for some versions. The group hasn't detailed any workaround information.


Comments

Be the first to comment on this story!

Trending Stories Right Now