Originally, the bug was deemed a mild memory problem, but it has only recently been discovered to be much worse than that.
The bug was first discovered by Google security researcher Michael Davidson in 2015. Then, the bug was not classed as a security threat. However, security researchers at Qualys said that “all versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable.”
Initially the bug was thought to cause only a memory crash, but researchers said that “an unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.”
Hackers can exploit the flaw via a malicious ELF file constructed as a Position-Independent Executable (PIE). When the file is loaded into memory, the kernel fails to allocate enough memory.
“The loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system,” according to an advisory issued by Red Hat.
The bug received a patch in 2015, at the time it wasn't thought of as an attack vector for hackers. This led to fixes not being part of Linux Long-Term Releases. These releases only get updates when flaws are categorised as security issues.
The vulnerability, CVE-2017-1000253, won't affect systems running up to date kernel, but will affect server systems running on older versions. It also has a CVSSv3 severity score of 7.8 out 10.
“Linux distributions that have not patched their long-term kernels with
The problem has led to Red Hat, CentOS and Debian rushing out updates for older distributions where kernel 3.x is still used.Mark James, security specialist at ESET, told SC Media UK, that as skillsets develop and boundaries are pushed, it's not unusual for seemingly low rated vulnerabilities to be exploited and moved to high risk.
“Of course, any risk should be patched, but you have to look at time and effort relating to risk- with as many vulnerabilities as we, see from all types of software, the developers have to prioritise. The bad guys will, and often do, find ways to manipulate software to do what they need to do - if someone manages to exploit this vulnerability, they could in some instances elevate their privileges. This would enable them to effectively have complete control over the system to do as they please,” he said.“Software is an ever-changing threat landscape - the only way to stay safer is to ensure patches are installed as soon as available and try (where possible) to have installed the very latest versions of the core operating systems. In this particular case, until a patch is available, affected users can switch to the legacy map layout by setting vm.legacy_va_layout to 1, this in effect will disable said exploit.”
Chris Day, CSO at Cyxtera told SC Media UK that It is a subtle bug and when originally patched wasn't considered a security patch, hence it wasn't pushed out as such nor distributed into long-term distributions such as CentOS.
“Any attack that allows a local, low privilege user/process to escalate privilege can have wide reaching implications. For example, this exploit coupled with a different, remote execution attack that previously resulted in low privilege access could then turn that attack into something far worse,” he said.He added that organisations should monitor for stack crashes as this exploit is ‘delicate' and if used against the wrong kernel, will cause a crash. “Multiple crashes should be investigated as highly suspicious until patched,” he added.