Executive Summary

Summary
Title Linux Kernel local privilege escalation via SUID /proc/pid/mem write
Informations
Name VU#470151 First vendor Publication 2012-01-27
Vendor VU-CERT Last vendor Modification 2012-01-27
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 6.9 Attack Range Local
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 3.4 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#470151

Linux Kernel local privilege escalation via SUID /proc/pid/mem write

Overview

Linux kernel >= 2.6.39 incorrectly handles the permissions for /proc/<pid>/mem. A local, authenticated attacker could exploit this vulnerability to escalate to root privileges. Exploit code is available in the wild and there have been reports of active exploitation.

I. Description

/proc/<pid>/mem is an interface for reading and writing to process memory. The protections to protect unprivileged users from writing to process memory were found to be insufficient and have resulted in exploitation of the interface. By writing to the memory of a suid process, an attacker can run arbitrary code with root privileges. Further technical details can be found on Jason A. Donenfeld's ZX2C4 blog post.

II. Impact

A local, authenticated attacker may be able to gain root privileges on the system.

III. Solution

Apply an update

Patch commit e268337dfe26dfc7efd422a804dbb27977a3cccc has been provided by Linus Torvalds to address this vulnerability. Kernel image 3.0.18 and 3.2.2 have included this commit so far.

Users who obtain the Linux kernel from a third-party vendor, such as their operating system vendor, should see the vendor information portion of this document for a partial list of affected vendors.

Vendor Information

VendorStatusDate NotifiedDate Updated
CentOSAffected2012-01-27
Debian GNU/LinuxNot Affected2012-01-27
Gentoo LinuxUnknown2012-01-27
Red Hat, Inc.Affected2012-01-27
Slackware Linux Inc.Unknown2012-01-27
SUSE LinuxUnknown2012-01-27
UbuntuAffected2012-01-27

References

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
http://blog.zx2c4.com/749
http://www.outflux.net/blog/archives/2012/01/22/fixing-vulnerabilities-with-systemtap/

Credit

Jüri Aedla reported this vulnerability to the Linux kernel developers.

This document was written by Jared Allar.

Other Information

Date Public:2012-01-17
Date First Published:2012-01-27
Date Last Updated:2012-01-27
CERT Advisory: 
CVE-ID(s):CVE-2012-0056
NVD-ID(s):CVE-2012-0056
US-CERT Technical Alerts: 
Severity Metric:15.32
Document Revision:11

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

Original Source

Url : http://www.kb.cert.org/vuls/id/470151

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-264 Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:14660
 
Oval ID: oval:org.mitre.oval:def:14660
Title: USN-1342-1 -- Linux kernel (Oneiric backport) vulnerability
Description: linux-lts-backport-oneiric: Linux kernel backport from Oneiric The system could be made to run programs as an administrator.
Family: unix Class: patch
Reference(s): USN-1342-1
CVE-2012-0056
 Version: 5
Platform(s): Ubuntu 10.04
 Product(s): Linux
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15372
 
Oval ID: oval:org.mitre.oval:def:15372
Title: USN-1336-1 -- Linux kernel vulnerability
Description: linux: Linux kernel The system could be made to run programs as an administrator.
Family: unix Class: patch
Reference(s): USN-1336-1
CVE-2011-2203
CVE-2011-4077
CVE-2011-4110
CVE-2011-4132
CVE-2011-4330
CVE-2012-0044
CVE-2012-0056
 Version: 5
Platform(s): Ubuntu 11.10
 Product(s): Linux
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21212
 
Oval ID: oval:org.mitre.oval:def:21212
Title: RHSA-2012:0052: kernel security and bug fix update (Important)
Description: The mem_write function in Linux kernel 2.6.39 and other versions, when ASLR is disabled, does not properly check permissions when writing to /proc/<pid>/mem, which allows local users to gain privileges by modifying process memory, as demonstrated by Mempodipper.
Family: unix Class: patch
Reference(s): RHSA-2012:0052-01
CESA-2012:0052
CVE-2012-0056
 Version: 4
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
 Product(s): kernel
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23795
 
Oval ID: oval:org.mitre.oval:def:23795
Title: ELSA-2012:0052: kernel security and bug fix update (Important)
Description: The mem_write function in Linux kernel 2.6.39 and other versions, when ASLR is disabled, does not properly check permissions when writing to /proc/<pid>/mem, which allows local users to gain privileges by modifying process memory, as demonstrated by Mempodipper.
Family: unix Class: patch
Reference(s): ELSA-2012:0052-01
CVE-2012-0056
 Version: 6
Platform(s): Oracle Linux 6
 Product(s): kernel
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27936
 
Oval ID: oval:org.mitre.oval:def:27936
Title: DEPRECATED: ELSA-2012-0052 -- kernel security and bug fix update (important)
Description: [2.6.32-220.4.1.el6] - [fs] Revert 'proc: enable writing to /proc/pid/mem' (Johannes Weiner) [782649 782650] {CVE-2012-0056} [2.6.32-220.3.1.el6] - [kernel] Remove 'WARNING: at kernel/sched.c:5915' (Larry Woodman) [768288 766051] - [x86] kernel: Fix memory corruption in module load (Prarit Bhargava) [769595 767140] - [kernel] Reset clocksource watchdog after sysrq-t (Prarit Bhargava) [755867 742890] - [x86] AMD: Make tsc=reliable override boot time stability checks (Prarit Bhargava) [755867 742890]
Family: unix Class: patch
Reference(s): ELSA-2012-0052
CVE-2012-0056
 Version: 4
Platform(s): Oracle Linux 6
 Product(s): kernel
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Os 1532

ExploitDB Exploits

id Description
2012-01-12 Linux Local Root => 2.6.39 (32-bit & 64-bit) - Mempodipper #2
2012-01-23 Mempodipper - Linux Local Root for >=2.6.39, 32-bit and 64-bit

OpenVAS Exploits

Date Description
2012-12-18 Name : Fedora Update for kernel FEDORA-2012-20240
File : nvt/gb_fedora_2012_20240_kernel_fc16.nasl
2012-11-29 Name : Fedora Update for kernel FEDORA-2012-18691
File : nvt/gb_fedora_2012_18691_kernel_fc16.nasl
2012-11-06 Name : Fedora Update for kernel FEDORA-2012-17479
File : nvt/gb_fedora_2012_17479_kernel_fc16.nasl
2012-09-04 Name : Fedora Update for kernel FEDORA-2012-12684
File : nvt/gb_fedora_2012_12684_kernel_fc16.nasl
2012-08-06 Name : Fedora Update for kernel FEDORA-2012-11348
File : nvt/gb_fedora_2012_11348_kernel_fc16.nasl
2012-07-30 Name : CentOS Update for kernel CESA-2012:0052 centos6
File : nvt/gb_CESA-2012_0052_kernel_centos6.nasl
2012-07-09 Name : RedHat Update for kernel RHSA-2012:0052-01
File : nvt/gb_RHSA-2012_0052-01_kernel.nasl
2012-06-25 Name : Fedora Update for kernel FEDORA-2012-8931
File : nvt/gb_fedora_2012_8931_kernel_fc15.nasl
2012-06-15 Name : Fedora Update for kernel FEDORA-2012-8890
File : nvt/gb_fedora_2012_8890_kernel_fc16.nasl
2012-05-17 Name : Fedora Update for kernel FEDORA-2012-7594
File : nvt/gb_fedora_2012_7594_kernel_fc15.nasl
2012-05-14 Name : Fedora Update for kernel FEDORA-2012-7538
File : nvt/gb_fedora_2012_7538_kernel_fc16.nasl
2012-04-26 Name : Fedora Update for kernel FEDORA-2012-6406
File : nvt/gb_fedora_2012_6406_kernel_fc15.nasl
2012-04-02 Name : Fedora Update for kernel FEDORA-2012-0876
File : nvt/gb_fedora_2012_0876_kernel_fc16.nasl
2012-04-02 Name : Fedora Update for kernel FEDORA-2012-3030
File : nvt/gb_fedora_2012_3030_kernel_fc16.nasl
2012-04-02 Name : Fedora Update for kernel FEDORA-2012-3712
File : nvt/gb_fedora_2012_3712_kernel_fc16.nasl
2012-03-29 Name : Fedora Update for kernel FEDORA-2012-3715
File : nvt/gb_fedora_2012_3715_kernel_fc15.nasl
2012-03-22 Name : Fedora Update for kernel FEDORA-2012-4410
File : nvt/gb_fedora_2012_4410_kernel_fc16.nasl
2012-03-19 Name : Fedora Update for kernel FEDORA-2012-3350
File : nvt/gb_fedora_2012_3350_kernel_fc16.nasl
2012-03-19 Name : Fedora Update for kernel FEDORA-2012-1497
File : nvt/gb_fedora_2012_1497_kernel_fc16.nasl
2012-03-16 Name : Fedora Update for kernel FEDORA-2012-3356
File : nvt/gb_fedora_2012_3356_kernel_fc15.nasl
2012-03-16 Name : Ubuntu Update for linux USN-1336-1
File : nvt/gb_ubuntu_USN_1336_1.nasl
2012-03-16 Name : Ubuntu Update for linux-ti-omap4 USN-1364-1
File : nvt/gb_ubuntu_USN_1364_1.nasl
2012-03-07 Name : Fedora Update for kernel FEDORA-2012-2753
File : nvt/gb_fedora_2012_2753_kernel_fc15.nasl
2012-02-13 Name : Fedora Update for kernel FEDORA-2012-1503
File : nvt/gb_fedora_2012_1503_kernel_fc15.nasl
2012-02-01 Name : Ubuntu Update for linux-lts-backport-oneiric USN-1342-1
File : nvt/gb_ubuntu_USN_1342_1.nasl
2012-01-25 Name : Fedora Update for kernel FEDORA-2012-0861
File : nvt/gb_fedora_2012_0861_kernel_fc15.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
78509 Linux Kernel /proc/<pid>/mem Access Restriction Weakness Local Privileg...

Nessus® Vulnerability Scanner

Date Description
2014-11-17 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-0109.nasl - Type : ACT_GATHER_INFO
2014-07-22 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-0061.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-65.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-0052.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-2001.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120123_kernel_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2012-02-14 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1364-1.nasl - Type : ACT_GATHER_INFO
2012-01-26 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1342-1.nasl - Type : ACT_GATHER_INFO
2012-01-25 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-0052.nasl - Type : ACT_GATHER_INFO
2012-01-25 Name : The remote Fedora host is missing a security update.
File : fedora_2012-0861.nasl - Type : ACT_GATHER_INFO
2012-01-25 Name : The remote Fedora host is missing a security update.
File : fedora_2012-0876.nasl - Type : ACT_GATHER_INFO
2012-01-24 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-0052.nasl - Type : ACT_GATHER_INFO
2012-01-24 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1336-1.nasl - Type : ACT_GATHER_INFO