Linux

Multiple Linux distros are issuing security updates for OS versions that still use an older kernel branch after it recently came to light that a mild memory bug was in reality much worse, and the bug was recently categorized as a security flaw.

The original bug was discovered by Michael Davidson, a Google employee, back in April 2015 and was fixed in Linux kernel 4.0.

Bug initially classified as non-security issue

An initial analysis of the bug did not explore the possibility of it being used as an attack vector, so the issue was one of many bugfixes included with the newly launched (at the time) Linux kernel 4.0.

Linux kernel maintainers also ported the patch to the older 3.x branch with the release of Linux kernel 3.10.77, but because the issue had been branded as a minor bugfix, the bug wasn't included in many Linux LTS releases.

Long-Term Releases are Linux OS versions deployed in enterprise and high-availability environments, and in most cases, they receive security-only updates, as not to pester sysadmins with constant updates that cause downtime or other production snags.

This means that while the majority of Linux desktop users running a recent kernel are not affected by this vulnerability, being patched a long time ago, some critical server systems might still be vulnerable if they're still running an older 3.x kernel as part of a Linux LTS distro.

"All versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable," the Qualys team said in an advisory released today after it made sure to inform all major Linux distros of the bug's real nature a few months ago.

Bug allows Elevation of Privileges (EoP)

The bug's security implications only recently came to light after further analysis from the Qualys team. Researchers discovered that an attacker could exploit the 2015 kernel bug to elevate privileges for an attacker's code.

The bug has received the CVE-2017-1000253 security indicator and a CVSSv3 severity score of 7.8 out 10, which is pretty high.

Attackers can exploit the bug via malicious ELF files built as Position-Independent Executables (PIEs). When the Linux kernel loads a malicious binary into memory, the kernel does not allocate enough memory.

This ends up in a situation where "part of that application's data segment [will be mapped] over the memory area reserved for its stack, potentially resulting in memory corruption."

Initially, kernel maintainers thought this would cause a mundane memory crash, but Qualys discovered that "an unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system."

Linux distros such as Red Hat, Debian, and CentOS, have released updates to address the bug for older LTS distributions where the 3.x kernel is still in use.

Qualys researchers also promised to release proof-of-concept exploit code.