Linux kernel: multiple x86_64 Privilege Escalation vulnerabilities #CVE-2014-9322
Andy Lutomirski, a security researcher and co-founder of AMA Capital Management has identified a serious vulnerability in the Linux kernel that can be exploited by a local attacker to escalate privileges on affected systems. This vulnerability,CVE-2014-9322 is related to another vulnerability, CVE-2014-9090, a Linux kernel denial-of-service (DoS) vulnerability which was recently reported by Lutomirski.
Lutomirski had recently reported the CVE-2014-9090 which was caused due to improper handling of faults associated with the Stack Segment (SS) register on the x86 architecture. After notification of CVE-2014-9090, Borislav Petkov pointed out to Lutomirski some further flaws that existed even after vulnerability. After research Lutomirski discovered that there were two bugs in the improper handling of Stack Segment (SS) register. The new kernel kernel vulnerability is now identified CVE-2014-9322 and allows potential hacker to gain privilege escalation on all X86_64 systems.
“Any kernel that is not patched against CVE-2014-9090 is vulnerable to privilege escalation due to incorrect handling of a #SS fault caused by an IRET instruction. In particular, if IRET executes on a writeable kernel stack (this was always the case before 3.16 and is sometimes the case on 3.16 and newer), the assembly function general_protection will execute with the user’s gsbase and the kernel’s gsbase swapped,” Lutomirski explained in an advisory.
He added that, “This is likely to be easy to exploit for privilege escalation, except on systems with SMAP or UDEREF. On those systems, assuming that the mitigation works correctly, the impact of this bug may be limited to massive memory corruption and an eventual crash or reboot.”
Lutomirski has stated that the fix which was released for CVE-2014-9090 also patches CVE-2014-9322. While National Vulnerability Database maintained by NIST has assigned a base score of 7.2 to this Linux kernel privilege escalation vulnerability, Red Hat has rated this bug as “important.” This vulnerability affects the Red Hat Enterprise Linux 4, 5, 6, and 7, and Red Hat Enterprise MRG 2 and a kernel package update has been released to address this flaw on Thursday which can be downloaded here.
In a separate advisory, Red Hat has dismissed the ‘Grinch’ vulnerability in Linux which was notified by Alert Logic earlier. The ‘Grinch’ vulnerability was reported by Techworm earlier this week and many users also commented about it being a false report. Red Hat has stated that ‘Grinch’ is neither a flaw nor a security issue. The obvious fact was pointed out by one commentor, CRPECK who quoted from Red Hat website, “give an unauthorized user root access to the system by leveraging “wheel,” a special user group that controls access to the su command and allows one user to operate as if they were another. If a user is a member of the ‘wheel’ group, they are authorized by definition. Obviously you shouldn’t give non-trusted users wheel privileges. This is a non-issue.”