A serious privilege escalation vulnerability was recently (re)discovered in the Linux kernel. The vulnerability could have allowed attackers to gain write access to read-only memory mappings and modify on-disk binaries, bypassing the usual mechanisms that prevent ordinary users modifying system files. There’s some evidence that the vulnerability is being actively used in the wild.
Following the release of a kernel patch, all major Linux distributions have released new patched kernels that close the vulnerability. CentOS — which Future Hosting uses on most of its hosting plans — has been patched. We’ve updated our hosting plans so that our managed hosting clients are no longer vulnerable.
The problem was caused by a race condition in Linux’s copy-on-write memory code. A race condition occurs when operations have to happen in a particular order, but it’s possible that they may happen out of order. In this case, the attackers could exploit the race condition to inject data into memory locations that were ordinarily write-protected. Once an attacker can inject their own data and code into memory, they can essentially do as they please. In this case, it was possible to escalate ordinary users to root.
The real risk is to servers on which multiple third parties have user accounts — a common scenario in web hosting. Using this vulnerability, one user with a shared hosting plan could escalate their privilege and access data owned by other users or interfere with the functioning of the server.
Combined with other vulnerabilities, it may be possible to exploit the privilege escalation vulnerability remotely. A typical approach for an attacker is to find a vulnerability in an internet-facing service that provides a shell or lets them run arbitrary code. On a properly configured server, they would only be able to run code as an ordinary user, limiting the damage they can do. The next step is to escalate that user’s privilege, which is exactly what the recently fixed vulnerability allows.
It’s not the first time this particular bug has caused problems. As Linus Torvalds — the founder and lead developer on the Linux project — notes, the bug was discovered and fixed more than a decade ago, but the fix caused problems and was reversed.
“This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit 4ceb5db9757a (“Fix get_user_pages() race for write access”) but that was then undone due to problems on s390 by commit f33ea7f404e5 (“fix get_user_pages bug”).”
With the new fix, it appears the problem is solved permanently. If your server hasn’t been updated, it’s still vulnerable to this exploit. You should update as soon as possible, because now the vulnerability is widely publicised, many more would-be attackers will be trying their luck.