[Triumf-linux-managers] 'CRITICAL' Risk CVE-2016-5195 Linux kernel privilege escalation

Andrew Daviel advax at triumf.ca
Fri Oct 21 18:58:52 PDT 2016 

(discussion to triumf-linux-users at lists.triumf.ca
rather than linux-managers, please)

CRITICAL risk vulnerability concerning Linux kernel
CVE ID : CVE-2016-5195

"A kernel vulnerability has been found concerning a race condition 
allowing an unprivileged local user to gain write access to otherwise 
read only mappings and increase their privilege in the system."

There is a working proof-of-concept code which I have tested on CentOS 
7. It uses a race condition in madvise(). The publicly-available 
exploit, however (dirtyc0w.c) writes to /proc/self/mem, which is not 
possible in RedHat 5 or 6.

There is no patch at this time for RHEL-based systems. There is a 
workaround using systemtap as documented at 
https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13
That requires the kernel-debuginfo package to be loaded, as well as systemtap itself, 
and does not survive a reboot. I am not sure how practical it is; the 
published script runs in the foreground and unloads on exit. When I 
tried the exploit after unloading the stap script, the system crashed.


- we expect RedHat to produce an updated kernel, which should be 
installed when available and the system rebooted
- we think that the compute clusters trcomp0* "should be safe" 
meanwhile, as the available exploit does not work on SL 5/6
- users with non-RedHat Linux should check, and update as necessary
- admins with SL 7 and untrusted users might consider the stap 
workaround, carefully

- I don't *think* it's a problem on servers with no user access, unless 
there's a vulnerability like shellshock that lets attackers get a shell 
(I see attempts every week or two against my webserver).


More information
================

Sites running Debian should see [R 2] (seems to be fixed)
Sites running Ubuntu should see [R 3] (seems to be fixed in newer releases)
Sites running RedHat should see [R 4] (patch not available at time of writing)


https://access.redhat.com/security/vulnerabilities/2706661


References
==========

[R 1] https://bugzilla.redhat.com/show_bug.cgi?id=1384344
[R 2] https://security-tracker.debian.org/tracker/CVE-2016-5195
[R 3] http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html
[R 4] https://access.redhat.com/security/cve/CVE-2016-5195


-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager

More information about the Triumf-linux-managers mailing list