CVE-2017-1000253 - load_elf_binary does not allocate sufficient space

Red Hat Product Security has been made aware of a vulnerability affecting the Linux kernel's implementation of loading ELF binaries. Provided that an application is built as Position Independent Executable (PIE), the loader can allow part of that application's data segment to map over the memory area reserved for its stack resulting in corruption of the stack, with possible privilege escalation. The vulnerability has been assigned CVE-2017-1000253. This issue was publicly disclosed on Tuesday September 26th, 2017 and is rated as Important.

Background Information

Position Independent Executables are a security mechanism intended to increase the difficulty of attackers by allowing for randomizing the memory location of an applications binaries (ELF), libraries and related assets. This is intended to decrease the success of a generic attack by reducing the predictability of data at specific memory locations.

PIE Executable Specifics

Executables can be created with PIE as a compile-time option dictated by the '-pie' flag passed to the compiler.  

$ gcc -pie test.c -o test

Existing programs can be determined to be PIE executable using 'readelf' and looking for specific headers.  Below is an example of the commands used to verify the previously compiled test executable.

$  readelf -h ./test | grep "Type:[[:space:]]*DYN "
  Type:                              DYN (Shared object file)

$ readelf -d ./test |grep "(DEBUG)"
 0x0000000000000015 (DEBUG)              0x0

Attackers do not need to have the ability to create PIE executables but can leverage existing PIE executables on the system to abuse.

Acknowledgments

Red Hat would like to thank Qualys Research Labs for reporting this flaw.

Additional References

https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txt
https://access.redhat.com/blogs/766093/posts/1975793
http://www.trapkit.de/tools/checksec.html
https://en.wikipedia.org/wiki/Position-independent_code#Position-independent_executables
https://sourceware.org/binutils/docs/binutils/readelf.html

Impacted Products

Red Hat Product Security has rated this update as having a security impact of Important.

The following Red Hat product versions are impacted:

• Red Hat Enterprise Linux 5
• Red Hat Enterprise Linux 6
• Red Hat Enterprise Linux 7 (prior to the 7.4.0 release)
• Red Hat Enterprise Linux for Realtime (prior to version kernel-rt-3.10.0-693.rt56.617)
• Red Hat Enterprise MRG 2 (prior to version kernel-rt-3.10.0-693.2.1.rt56.585.el6rt)

Products that are not Impacted

Systems running Red Hat Enterprise Linux 7.4, with kernel versions of kernel-3.10.0-693 or newer, systems running Red Hat Enterprise Linux for Realtime, with kernel versions of kernel-rt-3.10.0-693.rt56.617 or newer, and systems running Red Hat Enterprise MRG-2, with kernel versions of kernel-rt-3.10.0-693.2.1.rt56.585.el6rt or newer are not impacted by this vulnerability.

Red Hat's Linux containers inherit kernel flaws from their host's kernel.  Red Hat recommends that you use the most recent versions of available container images. The Container Health Index, part of the Red Hat Container Catalog, can always be used to verify the security status of your containers.

Attack Description and Impact

The flaw occurs when the kernel attempts to load an ELF executable and it does not correctly calculate the overall size of the required memory.  When the kernel loads segments of the binary, part of the binary can then be mapped into and past the area that is intended to be a gap between the application and the stack, possibly resulting in overlapping parts of the binary with the stack itself.

An attacker would need to craft the binary that is being executed to ensure that the correct size allocations take place and, when the data is corrupted, that it is overlayed with a valid and working payload. While the attacker cannot modify kernel instructions, if the attack runs against a targeted privileged userspace application that is setuid, or has additional user capabilites, it may be possible to gain elevated privileges.

An attacker must have access to a local account on the system; this is not a remote attack.

Take Action

All Red Hat customers running affected versions of the kernel are strongly recommended to update the kernel as soon as patches are available. Details about impacted packages as well as recommended mitigation are noted below. A system reboot is required in order for the kernel update to take affect.

Updates for Affected Products

A kpatch for customers running Red Hat Enterprise Linux 7.2 or greater will be available*. Please open a support case to gain access to the kpatch.

For more details about what a kpatch is: Is live kernel patching (kpatch) supported in RHEL 7?

* An active premium subscription entitlement is required to request kpatch.

**An active EUS subscription is required for access to this patch.

Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active EUS subscription.

What is the Red Hat Enterprise Linux Extended Update Support Subscription?

***An active AUS subscription is required for access to this patch in RHEL AUS.

Mitigation

By setting vm.legacy_va_layout to 1 we can effectively disable the exploitation of this issue by switching to the legacy mmap layout. The mmap allocations start much lower in the process address space and follow the bottom-up allocation model. As such, the initial PIE executable mapping is far from the reserved stack area and cannot interfere with the stack.

vm.legacy_va_layout = 1

$ /sbin/sysctl vm.legacy_va_layout
    vm.legacy_va_layout = 1

If further assistance is needed please contact Red Hat Global Support Services.

Ansible Playbook

An Ansible playbook is available. To verify the legitimacy of the script, you can download the detached GPG signature as well.

The playbook runs against a variable named HOSTS, and can be invoked as follows (assuming 'hostname' is defined in your inventory file):

# ansible-playbook -e HOSTS=hostname cve-2017-1000253-mitigation.yml	

This playbook requires root privileges and specifies 'become: true', so you will need to use an account with appropriate permissions.