Vulnerability related to pppol2tp level handling (CVE-2014-4943) Alert
Due to the manner in which the pppol2tp_setsockopt() and pppol2tp_getsockopt() functions in the Linux kernel's PPP over L2TP module are implemented, more specifically how the non-SOL_PPPOL2TP level socket options are handled, an unpriviledged local user could use this flaw to elevate their privileges on the system.
Note: This is only a concern from the local system. An attacker would need to already be logged into the local system to elevate their privileges in this manner.
Products Affected:
-
Red Hat Enterprise Linux 7
- All Kernel Versions
-
Red Hat Enterprise Linux 6
- All Kernel Versions
Note: This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2.
Resolution:
Future Linux kernel updates for Red Hat Enterprise Linux 6 and 7 will address this issue in full so as to disallow this exploit. However, in order to mitigate the vulnerability until a more permanent solution is available, the following workarounds can be used:
Workaround 1 - Disable (Automatic) loading of the module:
-
The mitigation steps outlined below will not properly protect against this exploit if the module is already loaded. If the modules are loaded and cannot be removed, for example, via
modprobe -r, a reboot will be required before the changes take effect. This can be verified with the following:-
Red Hat Enterprise Linux 6:
$ lsmod | grep ^pppol2tp && echo "The module is loaded" || echo "The module is not loaded" -
Red Hat Enterprise Linux 7:
$ lsmod | grep ^l2tp_ppp && echo "The module is loaded" || echo "The module is not loaded"
-
-
In the instance of a system that does not need the
pppol2tpmodule to function, automatic loading of it can be disabled using the following:-
Red Hat Enterprise Linux 6:
$ echo "install pppol2tp /bin/true" > /etc/modprobe.d/pppol2tp.conf -
Red Hat Enterprise Linux 7:
$ echo "install l2tp_ppp /bin/true" > /etc/modprobe.d/l2t_pppp.conf
-
-
This workaround is persistent across reboots.
Workaround 2 - Allowing use of the module, while mitigating this exploit:
-
For systems that require the use of the
pppol2tpmodule, the following systemtap script can be used. This will allow the loading of the module as well as its use. However, this particular exploit will be disabled. This will require that the systemtap-required packages are installed to the system and that the script is loaded and running at all times.1) Install the necessary packages if not already installed
2) Create a new text file with the following contents and including the ".stp" extension:
probe module("*l2tp*").function("pppol2tp_*etsockopt").call { $level = 273; }3) Start the above script in the following manner:
$ stap -g <filename-from-previous-step>.stp"
Note: Workaround 2 above will not be persistent across a reboot. Each reboot will require that the script be re-executed in order to guard against this vulnerability.
Additional Note:
With Red Hat Enterprise Linux 6, the pppol2tp module is not automatically loaded when a AF_PPPOX/PX_PROTO_OL2TP socket is created, as Red Hat Enterprise Linux 6 lacks upstream commit 9395a09d05a23bb, and default modprobe configuration as shipped with module-init-tools package does not contain the alias for pppol2tp protocol either. As a result, the pppol2tp module has to be explicitly enabled and/or loaded by the system administrator in order for the system to be vulnerable.
Comments