On Friday February 17th, 2017 the Linux Kernel team released a patch for a double-free vulnerability in the Linux kernel. On Wednesday February 22nd, 2017 the bug was revealed to the oss-sec mailing list. This Privilege Escalation vulnerability is a double-free vulnerability in the Datagram Congestion Control Protocol (DCCP) that allows an unprivileged user to alter kernel memory from an unprivileged process or cause a denial of service. The CVE assigned to this vulnerability is CVE-2017-6074.
This vulnerability was reported by Andrey Konovalov of Google. It applies to all Linux kernels since 2.6.18 (September 2006), though it may have been first introduced as early as October 2005, and it could lead to a Privilege Escalation of an unprivileged process. The Datagram Congestion Control Protocol (DCCP) is designed to support streaming media and telephony, and there is a weakness in the way that it freed SKB (socket buffer) resources if the IPV6_RECVPKTINFO option is enabled on the socket. The kernel believed that the memory was still in use by the SKB, allowing an unprivileged local user to write to the kernel’s memory space, and then to have any code that was written executed within the kernel (at a higher privilege level).
CloudPassage customers can use Halo to protect themselves by following these steps:
- Patch the kernel and reboot as soon as possible if patches are available, or apply the available mitigations. Some fixes require a reboot to be effective.
- Use Halo CSM to confirm that the mitigations are in place. Customers who have been using a CloudPassage-provided CSM template based on either CIS or DISA STIG benchmarks should already be protected against this vulnerability.
- Once patches are available, use Halo SVA to confirm that the kernel is patched.
Patch or mitigate as soon as possible. While this vulnerability requires local access to exploit and cannot be directly exploited over the network, it could be combined with another vulnerability to grant access, and then elevate privilege.
CSM (Configuration Security Monitoring)
The best way to address this vulnerability is to patch or to mitigate. There are two mitigations:
- Prevent modprobe from loading the module by running sudo echo ‘install dccp /bin/true’ >> /etc/modprobe.d/disable-dccp.conf to make sure that when an install of DCCP is requested it will not happen.
- Make sure the dccp module is not loaded by running sudo modprobe -rv dccp or sudo rmmod dccp. If the module is in use, this command will fail, and a reboot will be required to unload the module.
A stub CSM policy to check for the presence of the mitigations is available – please contact a CloudPassage Sales Engineer or Customer Success team member.
Below is a screenshot of a check that will look for the presence of a mitigation.
SVA (Software Vulnerability Assessment)
Customers running SVA scans against their servers should see the vulnerability appearing in their reports once the vulnerability has been added to our internal database. However, updated packages are not available from all various OS distributions yet, so the patch may not be visible in SVA yet. If updated packages cannot be installed, one can mitigate the vulnerability.