Does CVE-2010-3081 affect Red Hat Enterprise Linux?

Updated -

Issue

The flaw identified by CVE-2010-3081 (Red Hat Bugzilla bug 634457) describes an issue in the 32/64-bit compatibility layer implementation in the Linux kernel, versions 2.6.26-rc1 to 2.6.36-rc4. The compat_alloc_user_space() function is missing a sanity check on the length argument, and also a check to make sure the pointer to the block of memory in user-space that the process is attempting to write to is valid. This flaw was addressed via the upstream git commit c41d68a5 for the 2.6 Linux kernel.

This function could be abused in other areas of the Linux kernel. A known example of this is the compat_mc_getsockopt() function for MCAST_MSFILTER that was introduced in upstream git commit 42908c69 (v2.6.26-rc1).

A local, unprivileged user could use this flaw to escalate their privileges.

Environment

Red Hat Enterprise Linux 5 and 6

This issue affects the 64-bit versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5 and 6, as they include a backport of the upstream git commit 42908c69, which introduced the compat_mc_getsockopt() function that a local, unprivileged user can use to abuse the compat_alloc_user_space() call to escalate their privileges.

A public exploit affecting Red Hat Enterprise Linux 5 (Red Hat Enterprise Linux 6 is not affected by the public exploit) was released for this issue to the Full Disclosure mailing list: http://www.seclists.org/fulldisclosure/2010/Sep/268

Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG

Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG are not affected by the publicly-circulated exploit.

The Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG kernels do not include a backport of the upstream git commit 42908c69; therefore, those kernels do not include compat_mc_getsockopt(). However, it may be possible to abuse this in other areas of the Linux kernel. We plan to backport the missing compat_alloc_user_space() sanity checks in future Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG updates.

Red Hat Enterprise Linux 3

It was originally stated that Red Hat Enterprise Linux 3 is not affected by this vulnerability. This is incorrect. It was discovered that Red Hat Enterprise Linux 3 is vulnerable: it is missing the compat_alloc_user_space() sanity checks, which could possibly be abused in other areas of the Linux kernel.

Note: Red Hat Enterprise Linux 3 is not affected by the publicly-circulated exploit.

Resolution

Mitigation

As suggested on the Full Disclosure mailing list, it is possible to temporarily mitigate this issue. However, the steps provided below are only meant for the publicly-circulated exploit - they are insufficient for completely mitigating this vulnerability. As such, we strongly encourage you to install the updated kernel packages for Red Hat Enterprise Linux 3 Extended Life Cycle Support, Red Hat Enterprise Linux 4, 5, 6, and Red Hat Enterprise MRG.

As it is possible for the exploit to leave a backdoor in memory, you may wish to perform a system reboot before following the instructions below, or perform your standard incident handling procedures.

Run the following echo command as the root user to apply the mitigation. Note that this step is not persistent, and will prevent 32-bit applications from running:

# echo ':32bits:M::\x7fELF\x01::/bin/echo:' > /proc/sys/fs/binfmt_misc/register

To make this change persistent, append the above line (without the "#" character) to /etc/rc.local. The echo command above creates the following /proc/sys/fs/binfmt_misc/32bits file:

# cat /proc/sys/fs/binfmt_misc/32bits
enabled
interpreter /bin/echo
flags: 
offset 0
magic 7f454c4601

This mitigation registers a new binary type that matches the '\x7fELF\x01' magic, and invokes /bin/echo each time a 32-bit binary is executed. The magic string '\x7fELF\x01' consists of two parts, the ELF magic number (first 4 bytes) and the class (last byte). '\x01' indicates that it is a 32-bit object, while if you use '\x02', it indicates that it is a 64-bit object.

If you need to remove the mitigation, run the following command as the root user to restore the default behavior (and remove the above changes to /etc/rc.local if made):

# echo -1 > /proc/sys/fs/binfmt_misc/32bits

For more information, refer to http://www.kernel.org/doc/Documentation/binfmt_misc.txt.

Solution

This issue has been fixed in Red Hat Enterprise Linux 3 Extended Life Cycle Support, Red Hat Enterprise Linux 4 and 5, Red Hat Enterprise Linux 4.7 and 5.4 Extended Update Support, Red Hat Enterprise Linux 6, and Red Hat Enterprise MRG via the Red Hat Security Advisories RHSA-2010:0882, RHSA-2010:0718, RHSA-2010:0704, RHSA-2010:0719, RHSA-2010:0705, RHSA-2010:0842, and RHSA-2010:0758 respectively.

Further assistance

If you require assistance with mitigating this issue, or would like to request a hotfix, please contact Red Hat Support: https://access.redhat.com/support/contact/technicalSupport.html.

Revision History

2010-09-17: Article updated with mitigation based on the information provided on the Full Disclosure mailing list.

2010-09-20: Article updated to reflect that the provided mitigation steps are only meant for the publicly-circulated exploit, and do not provide complete mitigation of this issue.

2010-09-21: Article updated to reflect the release of the Red Hat Security Advisories RHSA-2010:0704 and RHSA-2010:0705, which fix the CVE-2010-3081 flaw for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 5.4 Extended Update Support. The article was also updated to clarify that the publicly-circulated exploit does not affect Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG.

2010-09-29: Article updated to reflect the release of the Red Hat Security Advisories RHSA-2010:0718 and RHSA-2010:0719, which fix the CVE-2010-3081 flaw for Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 4.7 Extended Update Support.

2010-10-08: Article updated to reflect the release of the Red Hat Security Advisory RHSA-2010:0758, which fixes the CVE-2010-3081 flaw for Red Hat Enterprise MRG.

2010-11-23: This article was updated to reflect that Red Hat Enterprise Linux 3 is actually vulnerable to CVE-2010-3081. It was also updated to reflect the release of the Red Hat Security Advisories RHSA-2010:0882 and RHSA-2010:0842, which fix the CVE-2010-3081 issue for Red Hat Enterprise Linux 3 Extended Life Cycle Support (ELS) and Red Hat Enterprise Linux 6 respectively.

Comments