Vulnerability related to pppol2tp level handling (CVE-2014-4943) Alert

Updated -

Due to the manner in which the pppol2tp_setsockopt() and pppol2tp_getsockopt() functions in the Linux kernel's PPP over L2TP module are implemented, more specifically how the non-SOL_PPPOL2TP level socket options are handled, an unpriviledged local user could use this flaw to elevate their privileges on the system.

Note: This is only a concern from the local system. An attacker would need to already be logged into the local system to elevate their privileges in this manner.

Products Affected:

  • Red Hat Enterprise Linux 7

    • All Kernel Versions
  • Red Hat Enterprise Linux 6

    • All Kernel Versions

Note: This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2.

Resolution:

Future Linux kernel updates for Red Hat Enterprise Linux 6 and 7 will address this issue in full so as to disallow this exploit. However, in order to mitigate the vulnerability until a more permanent solution is available, the following workarounds can be used:

Workaround 1 - Disable (Automatic) loading of the module:

  • The mitigation steps outlined below will not properly protect against this exploit if the module is already loaded. If the modules are loaded and cannot be removed, for example, via modprobe -r, a reboot will be required before the changes take effect. This can be verified with the following:

    • Red Hat Enterprise Linux 6:
      $ lsmod | grep ^pppol2tp && echo "The module is loaded" || echo "The module is not loaded"

    • Red Hat Enterprise Linux 7:
      $ lsmod | grep ^l2tp_ppp && echo "The module is loaded" || echo "The module is not loaded"

  • In the instance of a system that does not need the pppol2tp module to function, automatic loading of it can be disabled using the following:

    • Red Hat Enterprise Linux 6:
      $ echo "install pppol2tp /bin/true" > /etc/modprobe.d/pppol2tp.conf

    • Red Hat Enterprise Linux 7:
      $ echo "install l2tp_ppp /bin/true" > /etc/modprobe.d/l2t_pppp.conf

  • This workaround is persistent across reboots.

Workaround 2 - Allowing use of the module, while mitigating this exploit:

  • For systems that require the use of the pppol2tp module, the following systemtap script can be used. This will allow the loading of the module as well as its use. However, this particular exploit will be disabled. This will require that the systemtap-required packages are installed to the system and that the script is loaded and running at all times.

    1) Install the necessary packages if not already installed

    What is SystemTap and how to use it?

    2) Create a new text file with the following contents and including the ".stp" extension:

    probe module("*l2tp*").function("pppol2tp_*etsockopt").call {
        $level = 273;
    }
    

    3) Start the above script in the following manner:

    $ stap -g <filename-from-previous-step>.stp"
    

Note: Workaround 2 above will not be persistent across a reboot. Each reboot will require that the script be re-executed in order to guard against this vulnerability.

Additional Note:

With Red Hat Enterprise Linux 6, the pppol2tp module is not automatically loaded when a AF_PPPOX/PX_PROTO_OL2TP socket is created, as Red Hat Enterprise Linux 6 lacks upstream commit 9395a09d05a23bb, and default modprobe configuration as shipped with module-init-tools package does not contain the alias for pppol2tp protocol either. As a result, the pppol2tp module has to be explicitly enabled and/or loaded by the system administrator in order for the system to be vulnerable.