Linux providers are busy developing and pushing out patches for a vulnerability in an obscure networking protocol that could allow a local attacker to crash the kernel and elevate privileges.
Google software engineer Andrey Konovalov privately disclosed the vulnerability on Monday. The use-after-free bug could expose Linux servers to memory-based attacks that would allow an attacker to gain root-level privileges and execute code. Konovalov said he will give admins a few days to patch before publishing his proof-of-concept exploit.
The upstream Linux kernel has been patched, while Red Hat has patched Red Hat Enterprise Linux 7 and 6 so far; Red Hat said that any server with SE Linux enabled is also protected. SUSE Linux says only its older SUSE Linux Enterprise Server 10 is affected and customers with extended support contracts should contact SUSE. Current versions of SUSE Linux Enterprise Server 12 (SP 1 and 2) and 11 are not affected.
The vulnerability, CVE-2017-6074, affects only the IPv6 implementation of the Linux kernel’s Datagram Congestion Control Protocol (DCCP). DCCP is used to manage network traffic congestion on the application layer; it works on both IPv4 and IPv6. No known exploits are in the wild for this bug. In fact, DCCP is largely turned off in most Linux implementations; Red Hat said it combed years-worth of customer support cases and was unable to find any reports of customers having turned it on.
“I can’t say no one is using it,” said Red Hat security manager Chris Robinson. “But I imagine of the people using it, the population is small. We went through thousands of cases and found no calls or bug reports around it.
“The issue is of concern, but fortunately if you have some good security hygiene and protections in place such as SE Linux, a lot of folks should already be mitigating this bug,” Robinson said.
Additional vendor patches are due soon, and in addition to turning on SE Linux, admins could create a blacklist rule for the DCCP module. Since an attacker would already have to be on the server to exploit this vulnerability, remote attacks are ruled out. Red Hat said an attack would require that a vulnerable server and client would be running on the same system in order to reference the sk_shared_info struct after it has been freed.
“An exploit would only work if IPv6 is enabled with DCCP,” Robinson said. “An attacker would be able to insert malicious code and crash the kernel or allow them to overwrite memory. If they were smart, they could execute other things.”
Given the available mitigations and limitations to the attack, the severity of this vulnerability pales in comparison to recent Linux issues such as the Dirty Cow vulnerability. Dirty Cow was present in the Linux code for close to a decade, and it too gave local attackers root privileges by exploiting a race condition that allowed write-access to read-only memory. The bug was found in the copy-on-write feature in Linux and allowed local attackers to modify on-disk binaries and bypass permission mechanisms that would prevent such modifications.
“This is definitely not as bad as Dirty Cow,” Robinson said. “Customers need to patch it and check if they’re protected. Dirty Cow’s probability of something bad happening was much higher. [DCCP] is an esoteric package with not a lot of adoption or development over the years. This played to our advantage; most folks had it off and were not using it.”