A bug in Linux kernel that was discovered two years ago, but was not considered a security threat at that time, has now been recognised as a potential local privilege escalation flaw.
Identified as CVE-2017-1000253, the bug was initially discovered by Google researcher Michael Davidson in April 2015.
Since it was not recognised as a serious bug at that time, the patch for this kernel flaw was not backported to long-term Linux distributions in kernel 3.10.77.
However, researchers at Qualys Research Labs has now found that this vulnerability could be exploited to escalate privileges and it affects all major Linux distributions, including Red Hat, Debian, and CentOS.
The vulnerability left “all versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable,” Qualys said in an advisory published yesterday.
The vulnerability, which has been given a CVSS3 Base Score of 7.8 out of 10, resides in the way Linux kernel loads ELF executables, which potentially results in memory corruption.
Researchers find that an unprivileged local user with access to SUID (or otherwise privileged) Position Independent Executable (PIE) binary could use this vulnerability to escalate their privileges on the affected system.
In order to mitigate this issue, users can switch to the legacy mmap layout by setting vm.legacy_va_layout to 1, which will effectively disable the exploitation of this security flaw.
Since the mmap allocations start much lower in the process address space and follow the bottom-up allocation model, “the initial PIE executable mapping is far from the reserved stack area and cannot interfere with the stack.”
Qualys says this flaw is not limited to the PIEs whose read-write segment is larger than 128MB, which is the minimum distance between the mmap_base and the highest address of the stack, not the lowest address of the stack.
So, when passing 1.5GB of argument strings to execve(), any PIE can be mapped directly below the stack and trigger the vulnerability.
The Qualys team has promised to publish a proof-of-concept soon exploit that works on CentOS-7 kernel versions “3.10.0-514.21.2.el7.x86_64” and “3.10.0-514.26.1.el7.x86_64,” once a maximum number of users have had time to patch their systems against the flaw.