Use after free vulnerability in Linux kernel keychain management (CVE-2016-0728)
Updated
Red Hat Product Security has been notified of a vulnerability rates as Important in severity and stems from the Linux kernel version 3.10 that shipped with Red Hat Enterprise Linux 7.
Background Information
-
An issue was reported that the kernel keyring facility was vulnerable to a possible use-after-free attack. Successful compromise could lead to local privilege escalation. The Function
join_sessioninsecurity/keys/process_keys.cholds a reference to the requested keyring, but if that keyring was the some one currently being processed, the kernel would not descrease keyring usage before returning to userspace. The usage field could possibly be overflowed, causing use-afer-free on the keyring object. - The exploit is documented: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ .
- This issue is being managed through CVE-2016-0728 .
- This issue is documented in KB 2131021 .
- Direct exploitation of this issue requires a skilled attacker with local access.
An attack could allow execution of arbitrary code and potential escaltion of privileges by a skilled attacker.
The following versions of Red Hat Products are impacted:
- Red Hat Enterprise Linux 7 running kernel 3.10
This issue does not affect the Linux kernels shipped with Red Hat Enterprise Linux 5 or 6.
Take Action
Red Hat Security Advisories have been issued for this vulnerability. The links to the patches can be found below.
A Systemtap script is available, by request, to mitigate this issue. Please open a Support Case through the REd HAt customer portal or by phone to gain access to it.
Detailed Impact Information
| Product | Package | Advisory/Update |
|---|---|---|
| Red Hat Enterprise Linux 7 | kernel | RHSA-2016:0064 |
| Red Hat Enterprise Linux 7 | kernel-rt | RHSA-2016:0065 |
| Red Hat Enterprise MRG 2 | kernel-rt | RHSA-2016:0068 |
Comments