CVE-2017-6074 – a new 11-year old Linux Kernel flaw discovered

Security expert discovered a new 11-year old privilege escalation vulnerability, tracked as CVE-2017-6074, in the Linux kernel.

A new privilege escalation vulnerability, tracked as CVE-2017-6074, has been discovered in the Linux kernel and the astonishing new is that it is an 11-year old flaw.

The local privilege-escalation vulnerability, discovered by security researcher Andrey Konovalov, affects all the major Linux distro, including Debian, OpenSUSE, Redhat, and Ubuntu.

The flaw discovered by Konovalov resides in the DCCP (Datagram Congestion Control Protocol) implementation using Syzkaller that is a kernel fuzzing tool released by Google.

The Datagram Congestion Control Protocol (DCCP) is a message-oriented transport layer protocol that implements reliable connection setup, maintenance, and teardown, of an unreliable packet flow, and the congestion control of that packet flow.

The flaw is a use-after-free vulnerability in the way the Linux kernel’s “DCCP protocol implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket.”

“In the current DCCP implementation an skb for a DCCP_PKT_REQUEST
packet is forcibly freed via __kfree_skb in dccp_rcv_state_process if
dccp_v6_conn_request successfully returns [3].” reads the description of the flaw published on the full disclosure mailing list.

“However, if IPV6_RECVPKTINFO is set on a socket, the address of the
skb is saved to ireq->pktopts and the ref count for skb is incremented
in dccp_v6_conn_request [4], so skb is still in use. Nevertheless, it
still gets freed in dccp_rcv_state_process.”

An attacker can control an object and overwrite its content with a pointer to a execute arbitrary code in the Kernel.

“An attacker can control what object that would be and overwrite its content with arbitrary data by using some of the kernel heap spraying techniques. If the overwritten object has any triggerable function pointers, an attacker gets to execute arbitrary code within the kernel,” full disclosure mailing list about the vulnerability reads.

It is important to highlight that the CVE-2017-6074 flaw is a local issue that could not be exploited by a remote attacker. In order to exploit the flaw, an attacker needs to have a local account access on the system.

The CVE-2017-6074 vulnerability has already been patched in the mainline kernel, users can apply the patch and rebuild the kernel of their OS or they can wait for the next kernel update from their Linux distro provider.

In December 2016, security experts discovered another privilege-escalation vulnerability in Linux kernel, tracked as CVE-2016-8655, that dated back to 2011.

The flaw was discovered by the security expert Phil Oester who dubbed it ‘Dirty COW.‘ The flaw could be exploited by a local attacker to escalate privileges.

The name “Dirty COW” is due to the fact that it’s triggered by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CVE-2017-6074, Linux)

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.