Tuesday, October 25, 2016

Kernel Local Privilege Escalation - CVE-2016-5195

Taken from RedHat (https://access.redhat.com/security/vulnerabilities/2706661)

Background Information
A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

This could be abused by an attacker to modify existing setuid files with instructions to elevate privileges. An exploit using this technique has been found in the wild. This flaw affects most modern Linux distributions.

Red Hat Product Security has rated this update as having a security impact of Important.

Impacted Products:
The following Red Hat Product versions are impacted:
•    Red Hat Enterprise Linux 5
•    Red Hat Enterprise Linux 6
•    Red Hat Enterprise Linux 7
•    Red Hat Enterprise MRG 2
•    Red Hat Openshift Online v2

Attack Description and Impact:This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set. This is achieved by racing the madvise(MADV_DONTNEED) system call while having the page of the executable mmapped in memory.

Take Action:All Red Hat customers running the affected versions of the kernel are strongly recommended to update the kernel as soon as patches are available. Details about impacted packages as well as recommended mitigation are noted below. A system reboot is required in order for the kernel update to be applied.

Mitigation:Please reference bug 1384344  - https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13 for detailed mitigation steps.

Updates for Affected Products:
A kpatch for customers running Red Hat Enterprise Linux 7.2 or greater will be available. Please open a support case to gain access to the kpatch.

For more details about what a kpatch is: Is live kernel patching (kpatch) supported in RHEL 7? - please refer to https://access.redhat.com/solutions/2206511

No comments: