On Friday February 17th, 2017 the Linux Kernel team released a patch for a double-free vulnerability in the Linux kernel. On Wednesday February 22nd, 2017 the bug was revealed to the oss-sec mailing list. This Privilege Escalation vulnerability is a double-free vulnerability in the Datagram Congestion Control Protocol (DCCP) that allows an unprivileged user to alter kernel memory from an unprivileged process or cause a denial of service. The CVE assigned to this vulnerability is CVE-2017-6074.
This vulnerability was reported by Andrey Konovalov of Google. It applies to all Linux kernels since 2.6.18 (September 2006), though it may have been first introduced as early as October 2005, and it could lead to a Privilege Escalation of an unprivileged process. The Datagram Congestion Control Protocol (DCCP) is designed to support streaming media and telephony, and there is a weakness in the way that it freed SKB (socket buffer) resources if the IPV6_RECVPKTINFO option is enabled on the socket. The kernel believed that the memory was still in use by the SKB, allowing an unprivileged local user to write to the kernel’s memory space, and then to have any code that was written executed within the kernel (at a higher privilege level).
Kernel patches are available for some versions of Ubuntu and Debian, and for Red Hat Enterprise Linux 6 and 7. It is possible to disable DCCP if patches are not available.
CloudPassage customers can use Halo to protect themselves by following these steps:
Patch or mitigate as soon as possible. While this vulnerability requires local access to exploit and cannot be directly exploited over the network, it could be combined with another vulnerability to grant access, and then elevate privilege.
The best way to address this vulnerability is to patch or to mitigate. There are two mitigations:
A stub CSM policy to check for the presence of the mitigations is available – please contact a CloudPassage Sales Engineer or Customer Success team member.
Below is a screenshot of a check that will look for the presence of a mitigation.
Customers running SVA scans against their servers should see the vulnerability appearing in their reports once the vulnerability has been added to our internal database. However, updated packages are not available from all various OS distributions yet, so the patch may not be visible in SVA yet. If updated packages cannot be installed, one can mitigate the vulnerability.