CVE-2017-1000253 - load_elf_binary does not allocate sufficient space

Public Date: September 19, 2017, 12:54
Updated November 6, 2017, 14:53 - Japanese

Was this information helpful?

Resolved Status
Important Impact

Red Hat Product Security has been made aware of a vulnerability affecting the Linux kernel's implementation of loading ELF binaries. Provided that an application is built as Position Independent Executable (PIE), the loader can allow part of that application's data segment to map over the memory area reserved for its stack resulting in corruption of the stack, with possible privilege escalation. The vulnerability has been assigned CVE-2017-1000253. This issue was publicly disclosed on Tuesday September 26th, 2017 and is rated as Important.

Background Information

Position Independent Executables are a security mechanism intended to increase the difficulty of attackers by allowing for randomizing the memory location of an applications binaries (ELF), libraries and related assets. This is intended to decrease the success of a generic attack by reducing the predictability of data at specific memory locations.

PIE Executable Specifics

Executables can be created with PIE as a compile-time option dictated by the '-pie' flag passed to the compiler.  

$ gcc -pie test.c -o test

Existing programs can be determined to be PIE executable using 'readelf' and looking for specific headers.  Below is an example of the commands used to verify the previously compiled test executable.

$  readelf -h ./test | grep "Type:[[:space:]]*DYN "
  Type:                              DYN (Shared object file)

$ readelf -d ./test |grep "(DEBUG)"
 0x0000000000000015 (DEBUG)              0x0

Attackers do not need to have the ability to create PIE executables but can leverage existing PIE executables on the system to abuse.

Acknowledgments

Red Hat would like to thank Qualys Research Labs for reporting this flaw.

Additional References

https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txt
https://access.redhat.com/blogs/766093/posts/1975793
http://www.trapkit.de/tools/checksec.html
https://en.wikipedia.org/wiki/Position-independent_code#Position-independent_executables
https://sourceware.org/binutils/docs/binutils/readelf.html


Impacted Products

Red Hat Product Security has rated this update as having a security impact of Important.

The following Red Hat product versions are impacted:

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7 (prior to the 7.4.0 release)
  • Red Hat Enterprise Linux for Realtime (prior to version kernel-rt-3.10.0-693.rt56.617)
  • Red Hat Enterprise MRG 2 (prior to version kernel-rt-3.10.0-693.2.1.rt56.585.el6rt)

Products that are not Impacted

Systems running Red Hat Enterprise Linux 7.4, with kernel versions of kernel-3.10.0-693 or newer, systems running Red Hat Enterprise Linux for Realtime, with kernel versions of kernel-rt-3.10.0-693.rt56.617 or newer, and systems running Red Hat Enterprise MRG-2, with kernel versions of kernel-rt-3.10.0-693.2.1.rt56.585.el6rt or newer are not impacted by this vulnerability.

Red Hat's Linux containers inherit kernel flaws from their host's kernel.  Red Hat recommends that you use the most recent versions of available container images. The Container Health Index, part of the Red Hat Container Catalog, can always be used to verify the security status of your containers.

Attack Description and Impact

The flaw occurs when the kernel attempts to load an ELF executable and it does not correctly calculate the overall size of the required memory.  When the kernel loads segments of the binary, part of the binary can then be mapped into and past the area that is intended to be a gap between the application and the stack, possibly resulting in overlapping parts of the binary with the stack itself.

An attacker would need to craft the binary that is being executed to ensure that the correct size allocations take place and, when the data is corrupted, that it is overlayed with a valid and working payload. While the attacker cannot modify kernel instructions, if the attack runs against a targeted privileged userspace application that is setuid, or has additional user capabilites, it may be possible to gain elevated privileges.

An attacker must have access to a local account on the system; this is not a remote attack.

Diagnose your vulnerability

Determine if your system is vulnerable

Determine if your system is vulnerable. Use the detection script below to determine if your system is currently vulnerable to this flaw. To verify the legitimacy of the script, you can download the detached GPG signature as well. The current version of the script is 1.1.

Take Action

All Red Hat customers running affected versions of the kernel are strongly recommended to update the kernel as soon as patches are available. Details about impacted packages as well as recommended mitigation are noted below. A system reboot is required in order for the kernel update to take affect.

Updates for Affected Products

kpatch for customers running Red Hat Enterprise Linux 7.2 or greater will be available*. Please open a support case to gain access to the kpatch.

For more details about what a kpatch is: Is live kernel patching (kpatch) supported in RHEL 7?

* An active premium subscription entitlement is required to request kpatch.

ProductPackageAdvisory
Red Hat Enterprise Linux 7.3 Extended Update Support**kernelRHSA-2017:2793
Red Hat Enterprise Linux 7.2 Extended Update Support**kernelRHSA-2017:2794
Red Hat Enterprise Linux 6kernelRHSA-2017:2795
Red Hat Enterprise Linux 6.7 Extended Update Support**kernelRHSA-2017:2796
Red Hat Enterprise Linux 6.6 Advanced Update Support***kernelRHSA-2017:2797
Red Hat Enterprise Linux 6.5 Advanced Update Support***kernelRHSA-2017:2798
Red Hat Enterprise Linux 6.4 Advanced Update Support***kernelRHSA-2017:2799
Red Hat Enterprise Linux 6.2 Advanced Update Support***kernelRHSA-2017:2800
Red Hat Enterprise Linux 5 Extended Life SupportkernelRHSA-2017:2801
Red Hat Enterprise Linux 5.9 Advanced Update Support***kernelRHSA-2017:2802

**An active EUS subscription is required for access to this patch.

Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active EUS subscription.

What is the Red Hat Enterprise Linux Extended Update Support Subscription?

***An active AUS subscription is required for access to this patch in RHEL AUS.

Mitigation

By setting vm.legacy_va_layout to 1 we can effectively disable the exploitation of this issue by switching to the legacy mmap layout. The mmap allocations start much lower in the process address space and follow the bottom-up allocation model. As such, the initial PIE executable mapping is far from the reserved stack area and cannot interfere with the stack.

64-bit processes on Red Hat Enterprise Linux 5 are forced to use the legacy virtual address space layout regardless of the vm.legacy_va_layout value.

Note: Applications that have demands for a large linear address space (such as certain databases) may be unable to handle the legacy memory layout proposed using this mitigation. We recommend to test your systems and applications before deploying this mitigation on production systems.

Edit the /etc/sysctl.conf file as root, and add or amend:
vm.legacy_va_layout = 1
To apply this setting, run the /sbin/sysctl -p command as the root user to reload the settings from /etc/sysctl.conf.

Verify that vm.legacy_va_layout is now set to defined value:
$ /sbin/sysctl vm.legacy_va_layout
    vm.legacy_va_layout = 1

    If further assistance is needed please contact Red Hat Global Support Services.

    Ansible Playbook

    An Ansible playbook is available. To verify the legitimacy of the script, you can download the detached GPG signature as well.

    The playbook runs against a variable named HOSTS, and can be invoked as follows (assuming 'hostname' is defined in your inventory file):

    # ansible-playbook -e HOSTS=hostname cve-2017-1000253-mitigation.yml	

    This playbook requires root privileges and specifies 'become: true', so you will need to use an account with appropriate permissions.

    Comments