Forgot your password?
typodupeerror
Security Linux

RDS Protocol Bug Creates a Linux Kernel Hole, Now Fixed 89

Posted by timothy
from the what-does-the-sky-think-as-it-falls dept.
Trailrunner7 writes "The open-source Linux operating system contains a serious security flaw that can be exploited to gain superuser rights on a target system. The vulnerability, in the Linux implementation of the Reliable Datagram Sockets (RDS) protocol, affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included." The article goes on to say, though, that "Linux installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions," and that Linus Torvalds has committed a fix.
This discussion has been archived. No new comments can be posted.

RDS Protocol Bug Creates a Linux Kernel Hole, Now Fixed

Comments Filter:
  • A local exploit only (Score:5, Informative)

    by h4rr4r (612664) on Thursday October 21, 2010 @01:25PM (#33977158)

    They should mention in the summary this is a local privilege escalation exploit only.

  • by digitaldc (879047) * on Thursday October 21, 2010 @01:33PM (#33977310)
    Reliable Datagram Sockets (RDS) provide in order, non-duplicating, highly available, low overhead, reliable delivery of datagrams between hundreds of thousands of non-connected endpoints."

    Gives new meaning...

    Recommendation:
    Users should install updates provided by downstream distributions or apply the committed patch [3] and recompile their kernel.
    Preventing the RDS kernel module from loading is an effective workaround. This can be accomplished by executing the following command as root:
    echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds
  • by tom17 (659054) on Thursday October 21, 2010 @01:57PM (#33977694) Homepage
    It's everywhere. I just tested it on a random newish Ubuntu install (Well, 10.04) and the exploit works. It *does* say in the article that it's set up this way as default.

    I'd expect this is a pretty common vulnerability out there.
  • by tom17 (659054) on Thursday October 21, 2010 @01:58PM (#33977710) Homepage
    It's enabled by default. I tested it.
  • by jedidiah (1196) on Thursday October 21, 2010 @02:02PM (#33977766) Homepage

    Nope. The usual Microsoft nonsense is still alive and well in 2010.

  • by DeadCatX2 (950953) on Thursday October 21, 2010 @02:23PM (#33978100) Journal

    Yeah, it's 2010, and every Tuesday my computer bitches about how I have updates waiting to be installed...

  • by Athanasius (306480) <slashdotNO@SPAMmiggy.org> on Thursday October 21, 2010 @03:13PM (#33978868) Homepage
    What? No Auto-load of it on trying to use the protocol it utilises? I ask because the workaround is to turn that particular feature off: echo alias net-pf-21 off > /etc/modprobe.d/disable-rds
  • by drumbug1 (1140947) on Thursday October 21, 2010 @03:14PM (#33978898)
    If the system is completely up to date it's already patched in Ubuntu. Details on the kernel package needed for each currently supported release is here: http://www.ubuntu.com/usn/usn-1000-1 [ubuntu.com]
  • by Anonymous Coward on Thursday October 21, 2010 @03:14PM (#33978900)

    Sorry for the Anonymous Coward reply, I don't have an account in my name. I'm the researcher who discovered the vulnerability and published it. Just thought I'd clear up a few issues:

    1. Stock installations of Ubuntu, Debian, Fedora, Red Hat, Arch, Slackware, and SuSE (and probably more) >= 2.6.30 are (or were) all vulnerable to the issue. Ubuntu has already issued an update, which is why some people can't get the exploit working on their Ubuntu machines. Even if the proof-of-concept doesn't work on your machine, if you have an unpatched machine that compiles RDS as a module, you are vulnerable and should patch.

    2. Just because something is "compiled as a module" doesn't mean you have to explicitly have an administrator load it in order for it to be used. Networking protocols can be loaded at runtime by unprivileged users on nearly every distribution, including RDS. This is part of a broader security problem in the Linux world that should be improved.

    3. No one should be complaining about the week-long period after reporting before disclosure. The Linux security folks upstream would have published the fix the day I reported the issue, except I specifically requested an embargo period of one week, during which downstream distributions could prepare updates. If I hadn't requested this embargo, then the fix would have been published immediately, but distribution users would have had to wait for their respective distributions to put together updates.

  • by rastos1 (601318) on Thursday October 21, 2010 @03:28PM (#33979104) Homepage

    Preventing the RDS kernel module from loading is an effective workaround. This can be accomplished by executing the following command as root:
    echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds

    I hate it when I see an advice like that. Linux is an open system. We should understand what are we doing when running a command like that as root. Running that command means that you tell to kernel module loading mechanism that it should not load module with name net-pf-21. My man page for modprobe says that it reads files with extensions ".conf" in /etc/modprobe.d/ directory. So I guess that the command won't do squat on my system because of missing .conf extension.

    Next it also assumes that the particular functionality is compiled in module called "net-pf-21". No such module here. That would probably be the case because Kconfig files nor Makefiles in linux source code mention such module. And all that google returns is the same line that you repeated here. The name net-pf would suggest that the module should belong to "network packet filter", but the patch from Linus is not dealing with packet filter but rather with net/rds/page.c.

    I did not deeper analysis but I assume that

    net/rds/Kconfig:
    config RDS
    tristate "The RDS Protocol (EXPERIMENTAL)"
    depends on INET && EXPERIMENTAL
    ---help---
    The RDS (Reliable Datagram Sockets) protocol provides reliable

    together with

    zgrep RDS /proc/config.gz
    # CONFIG_RDS is not set

    indicates that my system is safe.

  • by drumbug1 (1140947) on Thursday October 21, 2010 @03:29PM (#33979116)
    If the system is completely up to date it's already patched in Ubuntu. Details on the kernel package needed for each currently supported release is here: http://www.ubuntu.com/usn/usn-1000-1 [ubuntu.com] [ubuntu.com]
  • by Anonymous Coward on Thursday October 21, 2010 @03:41PM (#33979288)

    "net-pf" is a common prefix that refers to network packet families. You have an alias file at /lib/modules/[kernel version]/modules.alias that contains a number of entries like this. This is actually a format that is hard-coded into the kernel:

    http://lxr.linux.no/#linux+v2.6.36/net/socket.c#L1196

    The workaround is perfectly valid.

  • Re:now fixed? (Score:3, Informative)

    by TeknoHog (164938) on Thursday October 21, 2010 @03:56PM (#33979504) Homepage Journal
    The fix mentioned in TFA is also in the 2.6.36 changelog. So if you use the latest vanilla kernel, it is already fixed.
  • by JesseMcDonald (536341) on Thursday October 21, 2010 @04:01PM (#33979584) Homepage
    The module name is "rds"; "net-pf-21" is an alias, and stands for Network Packet Family #21.

Hackers of the world, unite!

Working...