CVE-2017-1000253 - load_elf_binary does not allocate sufficient space
Was this information helpful?
Was this information helpful?
Red Hat Product Security has been made aware of a vulnerability affecting the Linux kernel's implementation of loading ELF binaries. Provided that an application is built as Position Independent Executable (PIE), the loader can allow part of that application's data segment to map over the memory area reserved for its stack resulting in corruption of the stack, with possible privilege escalation. The vulnerability has been assigned CVE-2017-1000253. This issue was publicly disclosed on Tuesday September 26th, 2017 and is rated as Important.
Position Independent Executables are a security mechanism intended to increase the difficulty of attackers by allowing for randomizing the memory location of an applications binaries (ELF), libraries and related assets. This is intended to decrease the success of a generic attack by reducing the predictability of data at specific memory locations.
Executables can be created with PIE as a compile-time option dictated by the '-pie' flag passed to the compiler.
$ gcc -pie test.c -o test
Existing programs can be determined to be PIE executable using 'readelf' and looking for specific headers. Below is an example of the commands used to verify the previously compiled test executable.
$ readelf -h ./test | grep "Type:[[:space:]]*DYN " Type: DYN (Shared object file) $ readelf -d ./test |grep "(DEBUG)" 0x0000000000000015 (DEBUG) 0x0
Attackers do not need to have the ability to create PIE executables but can leverage existing PIE executables on the system to abuse.
Red Hat would like to thank Qualys Research Labs for reporting this flaw.
https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txt
https://access.redhat.com/blogs/766093/posts/1975793
http://www.trapkit.de/tools/checksec.html
https://en.wikipedia.org/wiki/Position-independent_code#Position-independent_executables
https://sourceware.org/binutils/docs/binutils/readelf.html
Red Hat Product Security has rated this update as having a security impact of Important.
The following Red Hat product versions are impacted:
Systems running Red Hat Enterprise Linux 7.4, with kernel versions of kernel-3.10.0-693 or newer
Red Hat's Linux containers inherit kernel flaws from their host's kernel. Red Hat recommends that you use the most recent versions of available container images. The Container Health Index, part of the Red Hat Container Catalog, can always be used to verify the security status of your containers.
The flaw occurs when the kernel attempts to load an ELF executable and it does not correctly calculate the overall size of the required memory. When the kernel load segments of the binary, be mapped into and past the area that is intended to be a gap between the application and the stack
An attacker would need to craft the binary that is being executed to ensure that the correct size allocations take place and, when the data is corrupted, that it is overlayed with a valid and working payload. While the attacker cannot modify kernel instructions, if the attack runs against a targeted privileged userspace application that is setuid, or has additional user capabilites, it may be possible to gain elevated privileges.
An attacker must have access to a local account on the system; this is not a remote attack.
All Red Hat customers running affected versions of the kernel are strongly recommended to update the kernel as soon as patches are available. Details about impacted packages as well as recommended mitigation are noted below. A system reboot is required in order for the kernel update to take affect.
A kpatch for customers running Red Hat Enterprise Linux 7.2 or greater will be available*. Please open a support case to gain access to the kpatch.
For more details about what a kpatch is: Is live kernel patching (kpatch) supported in RHEL 7?
* An active premium subscription entitlement is required to request kpatch.
Product | Package | Advisory |
---|---|---|
Red Hat Enterprise Linux 7.3 Extended Update Support** | kernel | RHSA-2017:2793 |
Red Hat Enterprise Linux 7.2 Extended Update Support** | kernel | RHSA-2017:2794 |
Red Hat Enterprise Linux 6 | kernel | RHSA-2017:2795 |
Red Hat Enterprise Linux 6.7 Extended Update Support** | kernel | RHSA-2017:2796 |
Red Hat Enterprise Linux 6.6 Advanced Update Support*** | kernel | RHSA-2017:2797 |
Red Hat Enterprise Linux 6.5 Advanced Update Support*** | kernel | RHSA-2017:2798 |
Red Hat Enterprise Linux 6.4 Advanced Update Support*** | kernel | RHSA-2017:2799 |
Red Hat Enterprise Linux 6.2 Advanced Update Support*** | kernel | RHSA-2017:2800 |
Red Hat Enterprise Linux 5 Extended Life Support | kernel | RHSA-2017:2801 |
Red Hat Enterprise Linux 5.9 Advanced Update Support*** | kernel | RHSA-2017:2802 |
**An active EUS subscription is required for access to this patch.
Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active EUS subscription.
What is the Red Hat Enterprise Linux Extended Update Support Subscription?
***An active AUS subscription is required for access to this patch in RHEL AUS.
We recommend to test your systems and applications before deploying this mitigation on production systems.
If further assistance is needed please contact Red Hat Global Support Services.
An Ansible playbook is available. To verify the legitimacy of the script, you can download the detached GPG signature as well.
The playbook runs against a variable named HOSTS, and can be invoked as follows (assuming 'hostname' is defined in your inventory file):
# ansible-playbook -e HOSTS=hostname cve-2017-1000253-mitigation.yml
This playbook requires root privileges and specifies 'become: true', so you will need to use an account with appropriate permissions.
Comments