EGI SVG Advisories

High risk vulnerability in Linux kernel: Insufficient /proc/pid/mem access control (CVE-2012-0056)


Introduction
============

Yesterday, January 22, detailed information was released about a
vulnerability in the Linux kernel, complete with an exploit that on
many systems can give any local user root privileges. (The
vulnerability was previously known, but not believed to be
exploitable.)

This vulnerability has been labeled CVE-2012-0056, and is present on
many Linux distributions, including RHEL/CentOS/SL 6 (but *not* RHEL 5
and derivatives). Recent versions of Debian and Ubuntu are also affected.

Vendor patches are so far not available, but there are certain ways to
mitigate the risk - see below.

The EGI CSIRT has declared this a High risk vulnerability, and may
upgrade it to Critical risk if conditions change.


Recommendations
===============

Immediately apply the mitigation described below to all vulnerable
user-accessible systems.

Apply vendor kernel updates when they become available.


Details
=======

In kernel version 2.6.39, the access control code for the
/proc/[pid]/mem interface was rewritten and simplified. Unfortunately,
the code was a bit *too* simplified, making it possible (with a few
tricks) to modify the memory of a running process that is suid root.

The currently published exploit does not work on RHEL-like systems.
However, it is likely that the exploit can be adapted to work also on
these systems.

Please see the references section for full details.


Mitigation
==========

It is possible to protect a vulnerable system by inserting a systemtap
probe. Please see the section "Interim Workaround" in

  https://access.redhat.com/kb/docs/DOC-69129

Please note that this protection is not persistent across reboots. It
has to reapplied every time the system is rebooted. You may also want
to run stap with the options "-Fg" (not just "-g"), to make it detach
from the console.


References
==========

Red Hat Knowledgebase: https://access.redhat.com/kb/docs/DOC-69129

Original announcement by Jason Donenfeld: http://blog.zx2c4.com/749