Classified as CVE-2017-1000253, the bug was originally discovered by Google researcher Michael Davidson in April 2015.
Since it did not recognize as a severe bug at that time, the patch for this kernel flaw was not backported to long-term Linux distributions in kernel 3.10.77.
However, researchers at Qualys Research Labs has now found that this vulnerability could be exploited to escalate privileges and it affects all major Linux distributions, including Red Hat, Debian, and CentOS.
This vulnerability left all versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable,” Qualys said in an advisory announced yesterday.
This vulnerability, which has been given a CVSS3 Base Score of 7.8 out of 10, resides in the way Linux kernel loads ELF executables, which potentially results in memory corruption.
Researchers find that an unprivileged local user with access to SUID (or otherwise privileged) Position Independent Executable (PIE) binary could use this vulnerability to escalate their privileges on the affected system.
In order to mitigate this issue, users can switch to the legacy mmap layout by setting vm.legacy_va_layout to 1, which will effectively disable the exploitation of this security flaw.
Since the nmap allocations start much lower in the process address space and follow the bottom-up allocation model, “the initial PIE executable mapping is far from the reserved stack area and cannot interfere with the stack.”
Qualys tells this flaw is not restricted to the PIEs whose read-write segment is general than 128MB, which is the minimum distance between the mmap_base and the highest address of the stack, not the lowest address of the stack.
So, when passing 1.5GB of argument strings to execve(), any PIE can be mapped directly below the stack and trigger the vulnerability.
Linux distributions, including Red Hat, Debian, and CentOS, have released security updates to address the vulnerability.
The Qualys team has promised to publish a proof-of-concept soon exploit that works on CentOS-7 kernel versions “3.10.0-514.21.2.el7.x86_64” and “3.10.0-514.26.1.el7.x86_64,” once a maximum number of users have had time to patch their systems against the flaw.