Mutagen Astronomy - Local privilege escalation - CVE-2018-14634
Updated -
- Status
- Ongoing
- Impact
- Important
Red Hat has been made aware of privilege escalation flaw in the Linux kernel regarding elf page table code.
Background information
Mutagen Astronomy is the codename for a local user privilege escalation flaw. Setuid binaries usually sanitize or clear environment variables which can be used to override built-in functions with attacker-controlled functions at runtime. However, this system-logic flaw allows process arguments to overwrite system environment variables. By hijacking these functions, an attacker can execute their own code, take control of the setuid binary, and execute commands at the elevated privilege level.
For a system to be vulnerable to this flaw, it must have:
- More than 16GB of ram.
- A 64-bit kernel.
Acknowledgements
Red Hat would like to thank Qualys for reporting these flaws.
Additional References
Qualys advisory https://www.qualys.com/2018/09/25/cve-2018-14634/mutagen-astronomy-integer-overflow-linux-create_elf_tables-cve-2018-14634.txt
Red Hat Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14634
Impacted Products
- Red Hat Enterprise Linux for Real Time for NFV (v. 7) (kernel-rt)
- Red Hat Enterprise Linux 7 (kernel)
- Red Hat Enterprise MRG 2
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 6
Currently, there are no known flaw reproducers for Red Hat Enterprise Linux 5.
Red Hat customers running affected versions of the Red Hat products are strongly recommended to update them as soon as errata are available. Customers are urged to apply the appropriate updates immediately.
Updates for Affected Products
| Product | Package | Advisory/Update |
|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | RHSA-2018:2846 |
| Red Hat Enterprise Linux for Real Time 7 | kernel-rt | RHSA-2018:2763 |
| Red Hat Enterprise Linux 7 | kernel | RHSA-2018:2748 |
Mitigation
The flaw can be mitigated by reducing the hard stack limit usable by all users in the system. You can do so by modifying the system-wide limits and restarting the system. One adverse side effect is that limiting the stack may crash some large-stack programs. Fortunately, it is uncommon that an application hits this limit.
vi /etc/limits.conf
* hard stack 30720
A SystemTap script provided in BZ#1624498 does mitigate the provided exploit, but changing the limits system wide is a more comprehensive solution.
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.