Kernel privilege escalation flaw (and fixes)

[atreyu]

+++ This is a shout out to all you sysadmins and paranoid types +++

There is a flaw in certain kernels that would pose a serious security risk that local users could leverage. It is described at IDG/PCWorld:

Linux Vendors Rush to Patch Privilege Escalation Flaw After Root Exploits Emerge | PCWorld Business Center

and The H:

Linux root exploit due to memory access - Update 2 - The H Open Source: News and Features

Red Hat has a KB article here:

https://access.redhat.com/kb/docs/DOC-69129

which describes how it affects RHEL 6 (but not 4/5) and interim solutions you can take, if you can't get the kernel patch.

The exploit below takes advantage of the flaw:

CVE-2012-0056 - Mempodipper, a linux local root exploit.

I have confirmed that the exploit works (allows a non-root user to spawn a root shell) on:

• Red Hat 6 / kernel 2.6.32-220.el6.x86_64
  
• Fedora 16 / kernel 3.1.6-1.fc16.i686.PAE

It is trivial to test the exploit, a simple wget, gcc, and ./ and you'll know where you stand. I recommend it.

I updated the Fedora box to the latest kernel in the Fedora 16 updates repo (3.2.1-3) which includes the patch to fix this, rebooted, and yes, the exploit is foiled.

I updated the RHEL box to the kernel listed in their KB (2.6.32-220.4.1) and it also fixed the problem. (Well, technically, I used the RPM from the CentOS updates repo b/c I don't have an RHN, but it's good to know that I could do that.)

Apparently Canonical/Ubuntu and Arch have released patched kernels, too. Or you could just grab Linus's kernel patch and apply it to the kernel source and recompile, if that's how you roll.

[elija]

I think I saw the same thing in our weekly security bulletin at work this morning. It will be nice to show the Windows types who were "See! Linux isn't secure after all!!" that it's already been patched and released.

[atreyu]

I think I saw the same thing in our weekly security bulletin at work this morning. It will be nice to show the Windows types who were "See! Linux isn't secure after all!!" that it's already been patched and released.

Definitely. Considering the potential for devastation an ease of implementation of this threat, it might have been also good, though, if the main Linux vendors (Red Hat, Canonical, SUSE, etc.) had been able to provide publicly available patches for their systems before this hit the news wire.

[Rubberman]

RHEL/CentOS/ScientificLinux have also released updated kernels. I have installed the new one, but not activated it yet. The last kernel screwed up my audio, so I am now 2 kernels in arrears... I will check it out tonight, and if the audio is still FUBAR, I will b!tch at Red Hat et al and keep running my current kernel. I am running SL 6.0 - and need to update to 6.1. Time, if only I had infinite time! New job as senior performance engineer for Nokia is keeping me too busy! I also need to test our web browser software on multiple phone versions. Currently I have two different company phones - a Series 40 phone to test our software, and an N8 Symbian one for regular business use (and testing)... Watch my head spin...