Linux kernel flaw can local privilege escalation



An old Linux kernel vulnerability was exposed! The vulnerabilities can be traced back to 2009, linux distributions affected include Red Hat, Debian, Fedora, OpenSUSE and Ubuntu.

The number of Linux vulnerability CVE-2017-2636 , in accordance with CVSS v3 standard vulnerability score of 7.8 points. Vulnerability in the Linux kernel already exists for 7 years, and it allows local unprivileged user to obtain root privileges, launch DoS or let the system crash.

Positive Technologies Research Fellow of Alexander Popov found present in N_HLDC linux kernel driver race condition issue. This kernel driver handles Level Data Link Control (High-Level Data Link Control or simply HDLC) data. Problems led to the double-free vulnerability.

Double Free is actually free with a pointer twice. While the general called it double free, in fact, as long as free a pointer pointing to the heap memory are likely to produce can exploit.

“This statement is CVE-2017-2636, the vulnerability that is N_HLDC (drivers / tty / n_hdlc.c) linux kernel driver in the competition. This vulnerability can be used for local privilege escalation.” SecList security bulletin mentioned. “The driver provides HDLC serial line protocol, which is a lot of linux distributions kernel modules – so long as there is a core set CONFIG_N_HDLC = m linux distributions take advantage of this vulnerability does not require hardware SyncLink Microgate or when there is no permission. the user opens a pseudo-terminal and call TIOCSETD ioctl function to set the HDLC serial line protocol when the module will be loaded automatically. “

Therefore unauthorized attacker could exploit this vulnerability to execute arbitrary code injection.

Affected Linux Distributions

This vulnerability affects a range covering most of the major Linux distributions, including Red Hat Enterprise Linux 6, 7, Fedora, SUSE, Debian and Ubuntu.

Since the vulnerability can be traced back to July 2009, there are loopholes that Linux devices up to 7 years, but according to the survey Positive Technologies, it is difficult to determine whether the vulnerability has been made use of.

“Vulnerability is very old, so widely spread in Linux workstations and servers.” Popov said, “To exploit the vulnerability, an attacker only needs normal user does not have permission on the line. In addition, the attack does not require any special hardware.”

Researchers at the time of system calls syzkaller fuzzer testing discovered this vulnerability. syzkaller fuzzer was developed by Google software code security audit.

Popov So in February 28, 2017 the details of the vulnerability, exp prototype and patch reported to the Popov said that it would announce after the PoC.

How to fix

The vulnerability is now fixed, update and vulnerability details are published in the March 7. It recommends users to download the security update as soon as possible. If you temporarily unable to install the update, we recommend manually shut n_hdlc module.