ITW-vulnerability in Linux: please come in stealthily

A serious elevation-of-privileges vulnerability had been discovered in Linux in late April. Bugs like this are especially problematic for businesses, and require a prompt reaction.

This is the first in a new system administrators-oriented regular column dedicated to new, “distinguishing” vulnerabilities in the most popular software – the ones that are considered mostly “bullet-proof” (i.e. mostly secure and reliable). Unfortunately, there are no absolutely secure, free-of-errors software. The security level of a software package is defined not by the professionalism of its developers alone; it also depends on how much attention it draws from both white-hat security experts and black-hat intruders, and therefore, how quickly the vulnerabilities are discovered and eliminated.

And here we go.

 

Core problem

On April 29, 2014, Novell announced a discovery of a serious vulnerability in Linux core (CVE-2014-0196), that allows for Denial of Service attacks or elevation of local users’ privileges up to the root level. Researchers found out that all versions of the core from 2.6.31-rc3 through 3.14.3 are vulnerable. National Vulnerability Database marked this vulnerability’s priority as “High”.

Working exploit didn’t make them wait, and there is no surprise here.

Malware for this vulnerability elevate users’ privileges to “root”, and the root’s rights within the affected UNIX-like systems are limited by next to nothing. 

This means that an attacker who has managed to acquire root privileges, is capable of gaining full access to at least some resources within a company network (i.e. the ones to which his root rights are applied) conducting all sorts of operations within them – copy and delete data, install software (a malicious one), etc. This may lead to really bad business data leaks.

800-5

 

Technical details

The vulnerability itself appears due to an error in n_tty_write (drivers/tty/n_tty.c) function which does not properly manage tty (teletype) driver access in the “LECHO & !OPOST” case. On May 12th, 2014 a source code for a working exploit for this vulnerability had been published.

After a research had been conducted, the issue with Linux core had been fixed on May 3rd, 2014.

Possible consequences of the successful exploitation

  • System crash
  • Denial of service
  • Core memory area corruption
  • Elevation of privileges up to root level

Vulnerable packages

  • RedHat 6.2 AUS;
  • RedHat 6.3 EUS;
  • Red Hat Enterprise MRG2;
  • Debian 6: above 2.6.32-5;
  • Debian 7: Linux image below 3.2.57-3+deb7u1;
  • Ubuntu 10.04: Linux image below 2.6.32-58.121;
  • Ubuntu 12.04: Linux image 3.2.0-61.93;
  • Ubuntu 12.10: Linux image below 3.5.0-49.74;
  • Ubuntu 13.10: Linux image below 3.11.0-20.35;
  • Ubuntu 14.04: Linux image below 3.13.0-24.47.

Research

During their research, Kaspersky Lab’s experts acquired both proof-of-concept exploit files, and – thanks to Kaspersky Security Network – about dozen of real-world malware samples. 

Concepts and active malware are detected by Kaspersky Lab’s products as:

Exploit.Linux.CVE-2014-0196.a;

HEUR:Exploit.Linux.CVE-2014-0196.a.

Solution

A prompt installation of the newest security updates for all affected Linux versions isrequired. All of them are available at the developers’ official sites.

Tips