Local kernel privilege escalation in the HDLC TTY line discipline implementation - CVE-2017-2636

Public Date: March 3, 2017, 15:04
Updated August 7, 2017, 16:08 - Japanese

Was this information helpful?

Resolved Status
Important Impact

Red Hat Product Security has been made aware of a vulnerability affecting the Linux kernel's implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation.  The vulnerability has been assigned CVE-2017-2636.  This issue was publicly disclosed on 07-Mar-2017 and has been rated as Important.

Background Information

The kernel's TTY subsystem is used for terminal and terminal-like input and output to physical and virtual connected consoles and some programs..  The kernel supports many terminal types that have underlying supporting hardware requirements, but the generic functionality may be used across varying terminal types.

The issue lies within management and handling of the n_hdlc transmission buffer.  In some situations, access to the transmission buffer could allow for concurrent unsynchronized access, leading to a situation in which the kernel attempts to free the same area of memory twice.  A local attacker crafting specific sized memory allocations could abuse this mechanism to place a kernel function pointer with malicious instructions to be executed on behalf of the attacker.

Acknowledgments

Red Hat would like to thank Alexander Popov for reporting this issue.

Red Hat Product Security has rated this update as having a security impact of Important.

Impacted Products

The following Red Hat product versions are impacted:

  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise MRG 2
  • Red Hat Openshift Online v2
  • Red Hat Virtualization (RHEV-H/RHV-H)
  • RHEL Atomic Host

Attack Description and Impact

This flaw allows an attacker with an account on the local system to potentially elevate privileges.  This class of flaw is commonly referred to as UAF (Use After Free).  Flaws of this nature are generally exploited by exercising a code path that accesses memory via a pointer that no longer references an in use allocation due to an earlier free() operation.  An attacker must have access to a local account on the system; this is not a remote attack.

Diagnose your vulnerability


Determine if your system is vulnerable

Use the detection script below to determine if your system is currently vulnerable to this flaw.  To verify the legitimacy of the script, you can download the detached GPG signature as well.  The current version of the script is 1.0.

Take Action

All Red Hat customers running affected versions of the kernel are strongly recommended to update the kernel as soon as patches are  available. Details about impacted packages as well as recommended mitigation are noted below. A system reboot is required in order for the kernel update to be applied.

ProductPackageAdvisory
Red Hat Enterprise Linux 7kernelRHSA-2017:0931
Red Hat Enterprise Linux 7kernel-rtRHSA-2017:0931
Red Hat Enterprise Linux 7.2 Extended Update Support*kernelRHSA-2017:1125
Red Hat Enterprise Linux 6kernelRHSA-2017:0892
Red Hat Enterprise Linux 6.7 Extended Update Support*kernelRHSA-2017:1233
Red Hat Enterprise Linux 6.6 Advanced Update Support**kernelRHSA-2017:1488
Red Hat Enterprise Linux 6.5 Advanced Update Support**kernelRHSA-2017:1232
Red Hat Enterprise Linux 6.4 Advanced Update Support**kernelRHSA-2017:0986
Red Hat Enterprise Linux 6.2 Advanced Update Support***kernelRHSA-2017:1126
RHEL Atomic Hostkernelrepsun
Red Hat Enterprise MRG 2kernel-rtRHSA-2017:0932

Updates for Affected Products

*An active EUS subscription is required for access to this patch.

Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active EUS subscription.

What is the Red Hat Enterprise Linux Extended Update Support Subscription?

**An active AUS subscription is required for access to this patch in RHEL AUS.

Mitigation

The  n_hdlc kernel module will be automatically loaded when an application attempts to use the HDLC line discipline from userspace.  This module can be prevented from being loaded by using the system-wide modprobe rules.  The following command, run as root, will prevent accidental or intentional loading of the module.  Red Hat Product Security believes this is a robust method to prevent accidental loading of the module, even by privileged users.

 # echo "install n_hdlc /bin/true">> /etc/modprobe.d/disable-n_hdlc.conf

The system will need to be restarted if the n_hdlc modules are already loaded.  In most circumstances, the n_hdlc kernel modules will be unable to be unloaded if in use and while any current process using this line discipline is required.

Exploiting this flaw does not require Microgate or SyncLink hardware to be in use.

If further assistance is needed, see this KCS article or contact Red Hat Global Support Services.

Ansible Playbook

An Ansible  playbook is available.  This will mitigate the vulnerability, performing a "fake install" to prevent the vulnerable module from loading by creating a blacklist file at /etc/modprobe.d/disable-n_hdlc.conf. If the HDLC module is already loaded into the running kernel, it will reboot the system. With the blacklist file in place, this will ensure the module isn't loaded. After a fixed package is available and installed, you can remove the file at /etc/modprobe.d/disable-n_hdlc.conf if desired.

The playbook runs against a variable named HOSTS, and can be invoked as follows (assuming 'hostname' is defined in your inventory file):

# ansible-playbook -e HOSTS=hostname mitigate_fixit.yml

 This playbook requires root privileges and specifies 'become: true', so you will need to use an account with appropriate permissions.


Comments