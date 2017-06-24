'Stack Clash' Linux Flaw Enables Root Access. Patch Now (threatpost.com) 31
msm1267 writes: Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code at root. Major Linux and open source distributors made patches available Monday, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon.
The risk presented by this flaw, CVE-2017-1000364, becomes elevated especially if attackers are already present on a vulnerable system. They would now be able to chain this vulnerability with other critical issues, including the recently addressed Sudo vulnerability, and then run arbitrary code with the highest privileges, said researchers at Qualys who discovered the vulnerability.
Remote exploits are the real problem though. This is not a remote exploit.
Re: Interesting, makes me wonder (Score:2, Interesting)
It's only on specific processor types, which indicates the flaw is in the chips' instruction set and the OS patch is a mitigation.
It's an ABI flaw, not a instruction set flaw.
The real fix would be in the compiler and recompiling all libraries and binaries.
So yes, the kernel fix is "mitigation", because doing the real thing will take much longer.
Very interesting that the major flavors (Sys V, BSD, and Linux [which I consider a rewrite of Sys V]) are vulnerable. Sounds like a deep seated logic flaw there. Wonder if other vendor specific ones (IRIX, SunOS, Ultrix, AIX, etc) are vulnerable.
I'm actually still wondering if any of the above except Linux actually are vulnerable.
Only the "threatpost.com" article claims so, and of course the copy/pasted slashdot summary.
But the security researchers quoted in that very article explicitly say they discovered this in Linux, and nothing else.
The CVE issued explicitly says Linux kernels from 3.0 to 4.11.5 as well, no CVEs for other kernels or OSes.
Also the vulnerability in Linux only applies to Intel x86 and amd64 architectures, and it has been proven n
This exploit still requires local access to a machine, so it's not as bad as people claim. Unless you're giving random people shell access to your server.
You might not be giving random people shell access to your server, but if they've managed to acquire it through some other means (e.g. a compromised acccount or some other form of compromise) this means that they can pretty much be assured of being able to go from there to root until you install the patch. Not as bad as a remote root exploit, but still very nasty and worth the "Patch Now".
To me privilege separation seems like an area where formal verification could be useful, but so far no one cares enough to really work on it.
It is called Stack Smashing and OpenBSD is NOT vulnerable to it!
CVE-2017-1000372 and CVE-2017-1000373 are mentioned in the advisory? Broad statements without facts are not helpful. Try again.
Red Hat sent out a notification on Monday. Nice to see the Slashdot editors catching up on the news this weekend.
Sifting through the CVE and the write-up:
The kernel places an unmappable guard page just below the process's maximum-alloted stack space. Normally a process gets allocated only as much stack space as it needs. When the process's stack usage grows, the kernel maps additional pages to grow the process's stack space, but will not grow it beyond the maximum alloted stack size. If the process enters an infinite recursion loop, it'll hit the end of the alloted stack space, and the unmappable guard page segfaults