CVE-2017-6074 – a new 11-year old Linux Kernel flaw discovered

Security expert discovered a new 11-year old privilege escalation vulnerability, tracked as CVE-2017-6074, in the Linux kernel.

A new privilege escalation vulnerability, tracked as CVE-2017-6074, has been discovered in the Linux kernel and the astonishing new is that it is an 11-year old flaw.

The local privilege-escalation vulnerability, discovered by security researcher Andrey Konovalov, affects all the major Linux distro, including Debian, OpenSUSE, Redhat, and Ubuntu.

The flaw discovered by Konovalov resides in the DCCP (Datagram Congestion Control Protocol) implementation using Syzkaller that is a kernel fuzzing tool released by Google.

The Datagram Congestion Control Protocol (DCCP) is a message-oriented transport layer protocol that implements reliable connection setup, maintenance, and teardown, of an unreliable packet flow, and the congestion control of that packet flow.

The flaw is a use-after-free vulnerability in the way the Linux kernel’s “DCCP protocol implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket.”

“In the current DCCP implementation an skb for a DCCP_PKT_REQUEST
packet is forcibly freed via __kfree_skb in dccp_rcv_state_process if
dccp_v6_conn_request successfully returns [3].” reads the description of the flaw published on the full disclosure mailing list.

“However, if IPV6_RECVPKTINFO is set on a socket, the address of the
skb is saved to ireq->pktopts and the ref count for skb is incremented
in dccp_v6_conn_request [4], so skb is still in use. Nevertheless, it
still gets freed in dccp_rcv_state_process.”

An attacker can control an object and overwrite its content with a pointer to a execute arbitrary code in the Kernel.

“An attacker can control what object that would be and overwrite its content with arbitrary data by using some of the kernel heap spraying techniques. If the overwritten object has any triggerable function pointers, an attacker gets to execute arbitrary code within the kernel,” full disclosure mailing list about the vulnerability reads.

It is important to highlight that the CVE-2017-6074 flaw is a local issue that could not be exploited by a remote attacker. In order to exploit the flaw, an attacker needs to have a local account access on the system.

The CVE-2017-6074 vulnerability has already been patched in the mainline kernel, users can apply the patch and rebuild the kernel of their OS or they can wait for the next kernel update from their Linux distro provider.

In December 2016, security experts discovered another privilege-escalation vulnerability in Linux kernel, tracked as CVE-2016-8655, that dated back to 2011.

The flaw was discovered by the security expert Phil Oester who dubbed it ‘Dirty COW.‘ The flaw could be exploited by a local attacker to escalate privileges.

The name “Dirty COW” is due to the fact that it’s triggered by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CVE-2017-6074, Linux)