Local kernel privilege escalation in the HDLC TTY line discipline implementation - CVE-2017-2636
Red Hat Product Security has been made aware of a vulnerability affecting the Linux kernel's implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation. The vulnerability has been assigned CVE-2017-2636. This issue was publicly disclosed on 07-Mar-2017 and has been rated as Important.
Background Information
The kernel's TTY subsystem is used for terminal and terminal-like input and output to physical and virtual connected consoles and some programs.. The kernel supports many terminal types that have underlying supporting hardware requirements, but the generic functionality may be used across varying terminal types.
The issue lies within management and handling of the n_hdlc transmission buffer. In some situations, access to the transmission buffer could allow for concurrent unsynchronized access, leading to a situation in which the kernel attempts to free the same area of memory twice. A local attacker crafting specific sized memory allocations could abuse this mechanism to place a kernel function pointer with malicious instructions to be executed on behalf of the attacker.
Acknowledgments
Red Hat would like to thank Alexander Popov for reporting this issue.
Red Hat Product Security has rated this update as having a security impact of Important.
Impacted Products
The following Red Hat product versions are impacted:
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat Enterprise MRG 2
- Red Hat Openshift Online v2
- Red Hat Virtualization (RHEV-H/RHV-H)
- RHEL Atomic Host
Attack Description and Impact
This flaw allows an attacker with an account on the local system to potentially elevate privileges. This class of flaw is commonly referred to as UAF (Use After Free). Flaws of this nature are generally exploited by exercising a code path that accesses memory via a pointer that no longer references an in use allocation due to an earlier free() operation. An attacker must have access to a local account on the system; this is not a remote attack.
Diagnose your vulnerability
Take Action
All Red Hat customers running affected versions of the kernel are strongly recommended to update the kernel as soon as patches are available. Details about impacted packages as well as recommended mitigation are noted below. A system reboot is required in order for the kernel update to be applied.
| Product | Package | Advisory |
|---|---|---|
| Red Hat Enterprise Linux 7 | kernel | RHSA-2017:0931 |
| Red Hat Enterprise Linux 7 | kernel-rt | RHSA-2017:0931 |
| Red Hat Enterprise Linux 7.2 Extended Update Support* | kernel | RHSA-2017:1125 |
| Red Hat Enterprise Linux 6 | kernel | RHSA-2017:0892 |
| Red Hat Enterprise Linux 6.7 Extended Update Support* | kernel | RHSA-2017:1233 |
| Red Hat Enterprise Linux 6.6 Advanced Update Support** | kernel | RHSA-2017:1488 |
| Red Hat Enterprise Linux 6.5 Advanced Update Support** | kernel | RHSA-2017:1232 |
| Red Hat Enterprise Linux 6.4 Advanced Update Support** | kernel | RHSA-2017:0986 |
| Red Hat Enterprise Linux 6.2 Advanced Update Support*** | kernel | RHSA-2017:1126 |
| RHEL Atomic Host | kernel | repsun |
| Red Hat Enterprise MRG 2 | kernel-rt | RHSA-2017:0932 |
Updates for Affected Products
*An active EUS subscription is required for access to this patch.
Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active EUS subscription.
What is the Red Hat Enterprise Linux Extended Update Support Subscription?
**An active AUS subscription is required for access to this patch in RHEL AUS.
Mitigation
The n_hdlc kernel module will be automatically loaded when an application attempts to use the HDLC line discipline from userspace. This module can be prevented from being loaded by using the system-wide modprobe rules. The following command, run as root, will prevent accidental or intentional loading of the module. Red Hat Product Security believes this is a robust method to prevent accidental loading of the module, even by privileged users.
# echo "install n_hdlc /bin/true">> /etc/modprobe.d/disable-n_hdlc.conf
The system will need to be restarted if the n_hdlc modules are already loaded. In most circumstances, the n_hdlc kernel modules will be unable to be unloaded if in use and while any current process using this line discipline is required.
Exploiting this flaw does not require Microgate or SyncLink hardware to be in use.
If further assistance is needed, see this KCS article or contact Red Hat Global Support Services.
Ansible Playbook
An Ansible playbook is available. This will mitigate the vulnerability, performing a "fake install" to prevent the vulnerable module from loading by creating a blacklist file at /etc/modprobe.d/disable-n_hdlc.conf. If the HDLC module is already loaded into the running kernel, it will reboot the system. With the blacklist file in place, this will ensure the module isn't loaded. After a fixed package is available and installed, you can remove the file at /etc/modprobe.d/disable-n_hdlc.conf if desired.
The playbook runs against a variable named HOSTS, and can be invoked as follows (assuming 'hostname' is defined in your inventory file):
# ansible-playbook -e HOSTS=hostname mitigate_fixit.yml
This playbook requires root privileges and specifies 'become: true', so you will need to use an account with appropriate permissions.
Comments