Critical Linux kernel vmsplice security issues
There have been 2 significant security flaws found in the Linux kernel, accompanied by plenty of misinformation and confusion. This is my attempt to clear things up a bit.
The short story: If you are running Linux 2.6.17 or newer then any user who has local console or SSH terminal access to your machine can easily become root or crash the system. If this is a problem for you, then you need to upgrade to gentoo-sources-2.6.23-r8 or gentoo-sources-2.6.24-r2. At the time of writing, there are no official released upstream kernels which solve the issues – Linux 2.6.24.1 and 2.6.23.15 are vulnerable.
The longer story:
There are actually two separate security issues in question here. However, they both have the same impact (any user can adjust kernel memory and hence become root), and both issues exist within the implementation of the vmsplice() system call. vmsplice() was added in Linux 2.6.17 and is built into every kernel build – there is no configuration option to exclude vmsplice. Two separate exploits have been publicly released which exploit each of the two issues respectively.
The first security issue under discussion was added in Linux 2.6.23 (obviously unintentionally!). This means that 2.6.22 and older are not vulnerable to the first exploit. This issue was fixed by this patch in Linux 2.6.23.15 and Linux 2.6.24.1. This vulnerability has been classified with two codes: CVE-2008-0009 and CVE-2008-0010.
The second security issue is more serious. Firstly, it has existed for the entire lifetime of vmsplice() which means that any kernel version 2.6.17 or newer is vulnerable. Secondly, it is not fixed in any upstream kernel release at time of writing, but the fix has been merged into Linus’ upstream development tree. This vulnerability has been assigned ID CVE-2008-0600.
gentoo-sources-2.6.23-r7 and gentoo-sources-2.6.24-r1 include the fix for the first issue, but are still vulnerable to the second (which is equally serious).
gentoo-sources-2.6.23-r8 and gentoo-sources-2.6.24-r2 include the fix for the second issue and are hence secured against all known vmsplice exploits at this point in time. 2.6.23-r8 will be marked stable when I wake up 7-8 hours from now, so testing of that release would be appreciated.
UPDATE: gentoo-sources-2.6.23-r8 is now stable, and upstream have also released the following which fix all currently known issues: Linux 2.6.23.16, 2.6.24.2 and 2.6.25-rc1.
February 11th, 2008 at 2:50 am
It is always good to see a post that gives info that is clear and to the point. Thanks m8.
February 11th, 2008 at 3:41 am
Thanks for the hard work. I wasn’t aware of the first issue, although the second has made quite a splash lately. Simple testing of 2.6.24-r2 shows it works fine, stable ahoy!
February 11th, 2008 at 6:54 am
For the record, grsec/pax seems to be immune from this bug on a wide array of tested machines.
February 11th, 2008 at 9:37 am
[...] enthalten die nötigen Korrekturen und sind für x86/amd64 bereits “stable”. Daniel Drake fasst die Fehlerbeschreibung und betroffenen Versionen detailliert [...]
February 11th, 2008 at 10:05 am
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.2 should fix CVE-2008-0600.
February 11th, 2008 at 12:25 pm
kernel 2.6.23-grml addressing CVE-2008-0009/10 available…
Kernel 2.6.23-grml.06 is available in the grml repository. It includes latest stable patch 2.6.23.16 which addresses the well known root exploits from CVE-2008-0009/10 (see bugzilla #9924 and debian BTS #464953 and dsd’s detailed explanation for furth…
February 11th, 2008 at 4:31 pm
“there is no configuration option to exclude vmsplice”
Really?
$ ./disable-vmsplice-if-exploitable
PAGE_SIZE: 4096
———————————–
Linux vmsplice Local Root Exploit
By qaaz
———————————–
[+] mmap: 0×0 .. 0×1000
[+] page: 0×0
[+] page: 0×20
[+] mmap: 0×4000 .. 0×5000
[+] page: 0×4000
[+] page: 0×4020
[+] mmap: 0×1000 .. 0×2000
[+] page: 0×1000
[+] mmap: 0xb7db6000 .. 0xb7de8000
[-] vmsplice: Function not implemented
$ uname -a
Linux xxxx 2.6.24-gentoo #8 SMP PREEMPT Fri Feb 8 15:34:20 CET 2008 i686 Intel(R) Core(TM)2 Duo CPU T7700 @ 2.40GHz GenuineIntel GNU/Linux
February 11th, 2008 at 5:30 pm
That’s not a configuration option. And, I haven’t tried myself, but I’ve seen a few reports that that runtime hack can also cause the kernel to crash (not surprising given that the exploit does the same sometimes)
February 11th, 2008 at 7:24 pm
[...] den anderen Hosts sah es aber leider nicht so gut aus. Daniel Drake und Tobi hatten es ja die Lücke schon gut beschrieben. Der Exploit ist, wenn man einen lokalen [...]
February 11th, 2008 at 8:59 pm
[...] started writting a summary of the two recent Linux 2.6 locals but then found Daniel Drake weblog – he’s done an excellent job of pulling all the relevant bits [...]
February 12th, 2008 at 9:17 pm
[...] are some Critical Linux kernel vmsplice security issues that hopefully have been patched properly. Fortunately the kernel on this server is too old to be [...]
February 13th, 2008 at 8:50 pm
> # KingTaco Says:
> February 11th, 2008 at 6:54 am
>
> For the record, grsec/pax seems to be immune from this bug on a wide array of tested machines.
As far as I’m aware the attack only fails to achieve its intended goal if PAX_MEMORY_UDEREF is enabled (which is not supported on x86_64 arch). Even then, the PaX author has warned that stack corruption can occur leading to strange behaviour or crashes later. So let us not be lulled into a false sense of security. Hardened kernel users should upgrade to 2.6.23-r7 which contains the appropriate fixes.
March 23rd, 2008 at 7:27 am
Hello everybody, my name is Damion, and I’m glad to join your conmunity,
and wish to assit as far as possible.
May 5th, 2008 at 7:33 pm
“How many people work here?”
“Oh, about half.”
—————————————————————————————————-
http://ebloggy.com/nolanphillipszc