Security researchers have discovered a new integer overflow vulnerability in Linux Kernel, dubbed Mutagen Astronomy, that affects Red Hat, CentOS, and Debian Distributions.
The vulnerability could be exploited by an unprivileged user to gain superuser access to the targeted system.
The flaw was discovered by researchers at security firm Qualys that shared technical details of the Mutagen Astronomy vulnerabilities, including proof-of-concept (PoC) exploits (Exploit 1, Exploit 2).
The flaw tracked as CVE-2018-14634 affects the kernel versions released between July 2007 and July 2017, Linux Kernel versions 2.6.x, 3.10.x and 4.14.x, are vulnerable to the Mutagen Astronomy flaw.
The versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 are not affected by the issue.
The Mutagen Astronomy vulnerability exists in the create_elf_tables() function in the Linux kernel that is used to manage memory tables.
“We discovered an integer overflow in the Linux kernel’s create_elf_tables() function: on a 64-bit system, a local attacker can exploit this vulnerability via a SUID-root binary and obtain full root privileges.” reads the security advisory published by Qualys.
“Only kernels with commit b6a2fea39318 (“mm: variable length argument support”, from July 19, 2007) but without commit da029c11e6b1 (“exec: Limit arg stack to at most 75% of _STK_LIM”, from July 7, 2017) are exploitable. Most Linux distributions backported commit da029c11e6b1 to their long-term-supported kernels, but Red Hat Enterprise Linux and CentOS (and Debian 8, the current “oldstable” version) have not, and are therefore vulnerable and exploitable.”
Like other local privilege escalation issue, the exploitation of this flaw requests the access to the targeted system and the execution of exploit code that trigger a buffer overflow.
Once the attacker has triggered a buffer overflow, it can execute arbitrary code on the affected machine and take over it.
“An integer overflow flaw was found in the Linux kernel’s create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system.” reads the security advisory published by Red Hat.
“This issue does not affect 32-bit systems as they do not have a large enough address space to exploit this flaw. Systems with less than 32GB of memory are very unlikely to be affected by this issue due to memory demands during exploitation.
This issue does not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5. This issue affects the version of the kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG 2 will address this issue.”
At the time of writing, Red Hat Enterprise Linux, CentOS, and Debian 8 Jessie have not yet addressed the flaw.
Below the timeline for the flaw:
(Security Affairs – Linux, hacking)