Security Advisory: RHEL glibc based privilege escalation (CVE-2014-5119, important)

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7

Issue

A public exploit has been released on August 25th, which uses a flaw in glibc that can allow a local unprivileged user to gain root on Red Hat Enterprise Linux machines. To exploit this flaw, an attacker needs to be able to run unprivileged arbitrary code on the local system.

Resolution

  • Please update your glibc to the latest version. Check the errata RHSA-2014:1110-1 for the glibc that matches your operating system version.

  • For RHEL 5.9.z EUS, RHEL 5.6.z ELS, RHEL 6.2 AUS, or RHEL 6.4.z EUS, check the errata RHSA-2014:1118-1 for the glibc that matches your operating system version.

  • This issue cannot be mitigated.

  • The issue cannot be blocked by our security technologies (such as SELinux).

  • A reboot for server is recommended as described in Which packages require a system reboot after update?

Root Cause

  • This vulnerability was caused by a glibc off-by-one error, leading to a heap-based buffer overflow flaw in glibc's __gconv_translit_find() function.
  • This issue is more easily exploited on 32-bit architectures, due to the limited memory address space and Address Space Layout Randomization (ASLR) behavior. While 64-bit architectures are also prone to the attack, 64-bit ASLR difficults the address poisoning.

  • This issue was tracked as CVE-2014-5119.

  • There are currently only 32-bit exploit artifacts. While 64-bit architectures are also exploitable, we are not aware of a working proof of concept.

For more details, please visit Bug 1119128.

  • Credits: This issue was discovered by Tavis Ormandy. For more details, read the post.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments