MA-126.022008: MyCERT Special Alert: Linux Kernel Local Root Exploit Original Issue Date: 15th February 2008 1. Description 1.1. Overview MyCERT had received information regarding highly critical vulnerabilities in Linux kernel that allow a remote attacker to escalate privilege to the superuser privileges. MyCERT found that the vulnerability exploited via the vmsplice() function in the kernel to obtain root privileges. The vulnerability need an attacker to have at least an unprivileged account first on the system, in order to execute the exploit to escalate him/herself to higher privileges. We advice that all Linux machines which have the internet connection and hosting some web application to make the kernel patch as a priority precaution to avoid system compromise. The Proof-Of-Concept (POC) of the said vulnerability is currently published and available for the general public. Some of the Linux version known to be tested and vulnerable are: Debian Ubuntu Gutsy Fedora Core 7 and 8 Slackware 10 and 11
1.2. Software Affected Linux kernel 2.6.17 - 2.6.24.1 2. Solution 2.1. Update to the latest kernel patch 2.6.24.2 The updated version of the kernel patch can be obtained from:
http://www.kernel.org/pub/linux/kernel/v2.6/ The latest Linux kernel release is: 2.6.24.2. The documentation on how to update the kernel is available at:
http://www.mjmwired.net/kernel/Documentation/applying-patches.txt
or refer to respective Linux distribution documentation for kernel upgrades. 2.2. Check users lists Attacks involving the aforementioned vulnerabilities require at least one unprivileged user account in order to escalate to a higher privileges. Therefore, we advice that all systems that have multi-user environment should consists only trusted users to lower the risk being compromised. References http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953#14 http://blog.ericj2190.net/2008/02/11/linux-kernel-vmsplice-exploit/ http://www.milw0rm.com/exploits/5092 http://www.mjmwired.net/kernel/Documentation/applying-patches.txt
|
