A local privilege esclation flaw has been fixed in the Linux kernel, but several upstream distributions have yet to release updates. Administrators should plan on mitigating the vulnerability on Linux servers and workstations themselves and monitor the distributions for their update plans.
The race condition flaw in the
n_hdlc driver (drivers/tty/n_hdlc.c) in the Linux kernel through 4.10.1 () can lead to a double-free error in
n_hdlc_release() when accessing the
n_hdlc.tbuf list, said , a researcher at Russia-based Positive Technologies who found and reported the flaw. A local, unprivileged user able to set the HDLC line discipline on the tty device could exploit this flaw and gain increased privileges over the affected system or cause a denial-of-service condition.
The vulnerability, which got a base score of 7.8 under Common Vulnerability Scoring System (CVSS) 3.0, doesn’t need to be triggered by any user interaction, and the attack complexity is considered low. Exploiting this flaw does not require specialized hardware or peripherals to be attacked in the targeted system. Under CVSS, the vulnerability is considered High severity because of its impact.
The patch was sent to the Linux kernel mainline on Feb. 28, and the new version of the kernel was released March 7. All versions of the Linux kernel up to 4.10.1 are considered vulnerable.
to determine the state of their kernel and distribution.
Various Linux 6.0 packages for sparc, s/390, powerpc, mips, ia-64, ua-32, arm, amd64, the Linux kernel in Debian wheezy 3.2.78-1, jessie 3.16.39-1, and stretch 4.9.13-1 are vulnerable. The most recent versions of Debian jessie, 3.16.39-1+deb8u2, and wheezy, 3.2.86-1, already have the fixed kernel modules.
of the flaw.
Any Linux distribution that has
CONFIG_N_HDLC=m in the kernel configuration likely is affected as it uses the vulnerable driver.
Popov discovered the bug while investigating a suspicious kernel crash from using an unsupervised Linux system call fuzzing tool, . The vulnerability has to do with the fact that
n_hdlc uses self-made singly linked lists for data buffers and an
n_hdlc.tbuf pointer to resend buffers after an error. If the data buffer can’t be sent for whatever reason, then the address is saved in
n_hdlc.tbuf. The buffer is the first thing sent the next time
hdlc_send_frames() is called. The
hdlc_send_frames() can put the buffer into
tx_free_buf_list twice, causing the double-free error.
The bug appears to be nearly eight years old, as it was introduced in 2009 when code was added to to
n_hdlc. It was fixed by using a standard kernel linked list protected a spinlock and by removing the pointer, Popov said. In case of transmission error, the data buffer gets placed after the head of the
The vulnerability exists in a widely used open source component — in this case, the actual Linux kernel — across all major versions and distributions. But “the only way most Linux users will know about it is if they are actively monitoring the NVD [National Vulnerability Database] or a security feed from their Linux provider,” Carey said. It’s highly likely that thousands of systems will remain unpatched and vulnerable, especially when running Linux on nonstandard hardware such as the Raspberry Pi.
“If organizations aren’t making a concerted effort to track and manage their open source, they’re leaving the door wide open for exploit,” Carey said.