Old Root Linux Kernel Flaw found and patched

There’s a New (yet old) local privilege escalation flaw in the Linux kernel that requires patching. The flaw was introduced around 2005 when support for DCCP (Datagram Congestion Control Protocol) was added.

The flaw, although local in nature, could lead to a complete system compromise. Local privilege vulnerabilities can be dangerous when combined with other flaws that allow remote hackers access to lower privileged accounts.

The flaw can be exploited locally by using heap spraying techniques to execute arbitrary code inside the kernel, the most privileged part of the OS. Andrey Konovalov, the Google researcher who found the vulnerability, plans to publish an exploit for it a few days.

In order for this flaw to be exploitable, the kernel needs to be built with the CONFIG_IP_DCCP option. Many distributions use kernels built with this option, but some don’t.

Red Hat Enterprise Linux 5, 6, and 7 are affected, but Red Hat has only released patches for versions 6 and 7. However, there is a work-around available that involves manually disabling the DCCP kernel module.

Mitigation

Recent versions of the SELinux policy can mitigate this flaw. The steps below will work with SELinux enabled or disabled.

As the DCCP module will be auto-loaded when required, its use can be disabled
by preventing the module from loading with the following instructions:

# echo “install dccp /bin/true” >> /etc/modprobe.d/disable-dccp.conf

The system will need to be restarted if the DCCP modules are loaded. In most circumstances, the DCCP kernel modules will be unable to be unloaded while any network interfaces are active and the protocol is in use.

If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.

Source: Computerworld, Red Hat