Does CVE-2012-0056 affect Red Hat Enterprise Linux and Red Hat Enterprise MRG?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 6
  • Red Hat Enterprise MRG Realtime 2
  • Red Hat Enteprise Linux 5
  • Red Hat Enterprise Linux 4

Issue

The flaw identified by CVE-2012-0056 (Red Hat Bugzilla 782642) describes an issue in the handling of the /proc/pid/mem writing functionality, where permissions are not being properly checked in the Linux kernel versions v2.6.39-rc1 to current. A local, unprivileged user could use this flaw to escalate their privileges.

Resolution

Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG

CVE-2012-0056 affects the Linux kernel as shipped with Red Hat Enterprise Linux 6 from version 2.6.32-220.el6 (RHSA-2011:1530) and later, and Red Hat Enterprise MRG from version 2.6.33.9-rt31.75.el6rt (RHSA-2011:1253) and later. (The kernels shipped with RHSA-2011:1530 and RHSA-2011:1253 included a backport of upstream git commit 198214a7.)

Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG are affected by the publicly-circulated exploits with slight modifications.

Interim Workaround

Updates to correct this issue are available. Customers are advised to apply them now. If this is not possible, the SystemTap script provided below can mitigate this issue until updates are applied.

Systems are affected by this issue if they are running Linux kernel version 2.6.32-220.el6 (RHSA-2011:1530) or later on Red Hat Enterprise Linux 6, and 2.6.33.9-rt31.75.el6rt (RHSA-2011:1253) or later on Red Hat Enterprise MRG. If you are not sure if you are running an affected kernel version compile and run the reproducer from https://bugzilla.redhat.com/attachment.cgi?id=556461:

$ gcc -o test test.c
$ ./test
vulnerable

If the Linux kernel you are currently running has backported upstream git commit 198214a7 that introduced the problem, the reproducer will display vulnerable. If your kernel version does not contain this commit, it will display not vulnerable.

If vulnerable, you can follow the steps below to mitigate this issue on both Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG:

1) On the host, save the following SystemTap script in a file with the .stp extension:

probe kernel.function("mem_write@fs/proc/base.c").call {
$count = 0
}

2) Install the systemtap package and any required dependencies. Refer to the "2. Using SystemTap" chapter in the Red Hat Enterprise Linux 6 "SystemTap Beginners Guide" document, available from docs.redhat.com, for information on installing the required -debuginfo packages.

3) Run the stap -g [filename-from-step-1].stp command as root.

If the host is rebooted, the changes will be lost and the script must be run again.

For those who want to compile the SystemTap script on a development machine and deploy the compiled kernel module to other machines, you may choose to explore http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/SystemTap_Beginners_Guide/cross-compiling.html. This is useful if the other machines have systemtap-runtime only, and lack a compiler or the required -debuginfo packages.

Also ensure the Address Space Layout Randomization (ASLR) security feature is enabled at all times (it is enabled by default on Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG). This may not prevent attackers from abusing this issue, but it may make an attack a little harder.

Run the following command to determine if ASLR is enabled:

# cat /proc/sys/kernel/randomize_va_space
2

2 is the default value. If it displays ****, ASLR is turned off. If it displays 1 or 2, ASLR is turned on. For more information about the values, refer to http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/sysctl/kernel.txt;h=8c20fbd8b42dd922daa92f223bbefa9ffcc4f8e3;hb=HEAD#l480.

If ASLR is turned off, the following steps will turn it on:

1) Open the /etc/sysctl.conf file, add the following to the end of the file, and then save the change:

kernel.randomize_va_space = 2

2) Run the following command as root to apply the sysctl.conf changes:

# /sbin/sysctl -p

3) Verify ASLR is turned on:

# cat /proc/sys/kernel/randomize_va_space
2
Red Hat Enterprise Linux 4 and 5

CVE-2012-0056 does not affect Red Hat Enterprise Linux 4 and 5, as the kernels shipped with those products do not include a backport of upstream git commit 198214a7.

Root Cause

This issue was introduced through upstream git commit 198214a7. This patch re-enabled the mem_write() function due to numerous changes in the kernel that were supposed to make writing to /proc/pid/mem no longer a security problem. However, it was later reported that the handling of /proc/pid/mem write permissions was insufficient, and a local, unprivileged user can use this flaw to escalate their privileges.

Solution

This issue has been fixed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via the Red Hat Security Advisories RHSA-2012:0052 and RHSA-2012:0061 respectively.

Comments

If you require assistance with mitigating this issue, please contact Red Hat Support: https://access.redhat.com/support/contact/technicalSupport.html.

Revision History

2012-01-24: Article updated to reflect the release of the Red Hat Security Advisory RHSA-2012:0052, which fixes the CVE-2012-0056 flaw for Red Hat Enterprise Linux 6. The article was also updated to provide more information about generating a SystemTap kernel module for other computers, and to clarify that the publicly-circulated exploits do not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG at the time of writing.

2012-01-25: Article updated to reflect the release of the Red Hat Security Advisory RHSA-2012:0061, which fixes the CVE-2012-0056 flaw for Red Hat Enterprise MRG. The article was also updated to clarify that the publicly-circulated exploits do affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG with slight modifications.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments