Does CVE-2012-0056 affect Red Hat Enterprise Linux and Red Hat Enterprise MRG?

Resolution

Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG

CVE-2012-0056 affects the Linux kernel as shipped with Red Hat Enterprise Linux 6 from version 2.6.32-220.el6 (RHSA-2011:1530) and later, and Red Hat Enterprise MRG from version 2.6.33.9-rt31.75.el6rt (RHSA-2011:1253) and later. (The kernels shipped with RHSA-2011:1530 and RHSA-2011:1253 included a backport of upstream git commit 198214a7.)

Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG are affected by the publicly-circulated exploits with slight modifications.

Interim Workaround

Updates to correct this issue are available. Customers are advised to apply them now. If this is not possible, the SystemTap script provided below can mitigate this issue until updates are applied.

Systems are affected by this issue if they are running Linux kernel version 2.6.32-220.el6 (RHSA-2011:1530) or later on Red Hat Enterprise Linux 6, and 2.6.33.9-rt31.75.el6rt (RHSA-2011:1253) or later on Red Hat Enterprise MRG. If you are not sure if you are running an affected kernel version compile and run the reproducer from https://bugzilla.redhat.com/attachment.cgi?id=556461:

$ gcc -o test test.c
$ ./test
vulnerable

If the Linux kernel you are currently running has backported upstream git commit 198214a7 that introduced the problem, the reproducer will display vulnerable. If your kernel version does not contain this commit, it will display not vulnerable.

If vulnerable, you can follow the steps below to mitigate this issue on both Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG:

1) On the host, save the following SystemTap script in a file with the .stp extension:

probe kernel.function("mem_write@fs/proc/base.c").call {
$count = 0
}

2) Install the systemtap package and any required dependencies. Refer to the "2. Using SystemTap" chapter in the Red Hat Enterprise Linux 6 "SystemTap Beginners Guide" document, available from docs.redhat.com, for information on installing the required -debuginfo packages.

3) Run the stap -g [filename-from-step-1].stp command as root.

If the host is rebooted, the changes will be lost and the script must be run again.

For those who want to compile the SystemTap script on a development machine and deploy the compiled kernel module to other machines, you may choose to explore http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/SystemTap_Beginners_Guide/cross-compiling.html. This is useful if the other machines have systemtap-runtime only, and lack a compiler or the required -debuginfo packages.

Also ensure the Address Space Layout Randomization (ASLR) security feature is enabled at all times (it is enabled by default on Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG). This may not prevent attackers from abusing this issue, but it may make an attack a little harder.

Run the following command to determine if ASLR is enabled:

# cat /proc/sys/kernel/randomize_va_space
2

2 is the default value. If it displays ****, ASLR is turned off. If it displays 1 or 2, ASLR is turned on. For more information about the values, refer to http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/sysctl/kernel.txt;h=8c20fbd8b42dd922daa92f223bbefa9ffcc4f8e3;hb=HEAD#l480.

If ASLR is turned off, the following steps will turn it on:

1) Open the /etc/sysctl.conf file, add the following to the end of the file, and then save the change:

kernel.randomize_va_space = 2

2) Run the following command as root to apply the sysctl.conf changes:

# /sbin/sysctl -p

3) Verify ASLR is turned on:

# cat /proc/sys/kernel/randomize_va_space
2

Red Hat Enterprise Linux 4 and 5

CVE-2012-0056 does not affect Red Hat Enterprise Linux 4 and 5, as the kernels shipped with those products do not include a backport of upstream git commit 198214a7.