Sometimes old fixed bugs come back to bite us. That’s the case with CVE-2017-1000253, a Local Privilege Escalation Linux kernel bug.
This is a problem with how the Linux kernel loaded Executable and Linkable Format (ELF) executables. If an ELF application was built as Position Independent Executable (PIE), the loader could allow part of that application’s data segment to map over the memory area reserved for its stack. This could cause memory corruption. Then, an otherwise unprivileged local user with access to a Set owner User ID (SUID) or otherwise privileged flawed PIE binary, could gain higher-level user privileges.
Qualys, a security company, worked out a way to exploit this hole. By smashing the PIE’s .dynamic section with a stack-based string operation, they found they could force the ld.so dynamic linker to load and execute their own shared library.
This security hole may sound complicated, but it’s relatively easy to exploit. Since it could give an ordinary user super-user privileges it’s potentially very dangerous.
This bug, and its fix, are actually old. It was first uncovered in 2015 by Michael Davidson, a Google software engineer. It was fixed in the 4.0 Linux kernel. To be exact, Davidson repaired the kernel bug with a patch committed on April 14, 2015.
What neither Davidson, nor anyone, realized at the time was that what appeared to be a minor bug could be exploited.
Since the bug was patched over two years ago, you might be wondering, “Why does this matter?”
The problem is that the bug lived on in long-term support (LTS) versions of Linux, which are often used in server Linux distributions. In particular, Qualys found that “All versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable.” The bug is also present in Debian-based Linux distributions.
If you’re running an up-to-date Linux desktop, you have nothing to worry about. These use modern kernels rather than LTS kernels.
With a Common Vulnerability Scoring System, version 3 (CVSSv3) severity score of 7.8, system admins should patch the bug as soon as possible. Since the major Linux distributors were aware of the security hole before it was announced, all a system administrator needs to do is their usual package management program to patch the kernel or install a patched kernel, and reboot.