A critical vulnerability has been discovered in Unix-like operating systems, including Linux and various flavors of BSD. The vulnerability can be used for local privilege escalation, allowing a local user or an attacker who has managed to compromise a server to gain root access.
All major Linux distributions have released patches to mitigate the risk, including CentOS. Server hosting clients should update the Linux kernel and GLibc immediately.
Although the so-called Stack Clash vulnerability can’t on its own be used for remote code execution, it’s possible that in combination with other vulnerabilities, Stack Clash could be used to execute code remotely with root permissions.
The most pressing risk is for server administrators and web hosting providers whose servers host multiple users. On a secure system, each user account cannot interfere with the processes and files of other users. However, if one user on a shared server gains root privileges, they’ll be able to disrupt the processes and steal the data of their neighbors. If you host multiple users on your servers, it’s imperative that you update immediately.
The Stack Clash vulnerability, which was discovered by Qualys, takes advantage of a flaw in the way memory is handled on servers running a wide range of Linux distributions and other Unix-like operating systems.
The stack is an area of memory allocated to each running process. The vulnerability relies on an attacker’s ability to expand the size of the stack until it collides with separate regions of memory that contain other code or data, allowing the attacker to trick the machine into running code with greater permissions than would otherwise be possible.
This isn’t a novel vulnerability; a variation caused trouble in the past. In both 2005 and 2010 vulnerabilities that “clashed the stack” with another area of memory were exploited. In 2010, a fix was introduced to prevent such stack overflow attacks — the stack guard page. The stack guard page is an area in memory that acts as a trap when accessed.
The key to the 2017 Stack Clash vulnerability is the ability to circumvent the stack guard page by “jumping” over that area of memory.
As I’ve already said, patches for the vulnerability are available for CentOS and other operating systems. There’s a slight chance that the fix may cause minor performance issues, but they shouldn’t be noticeable in normal server operation. Leaving a server unpatched is unwise, and it’s especially important that multi-user servers are updated promptly.
However, if you have a very good reason to avoid updating or rebooting your server, Qualys has suggested a workaround.
“As a temporary workaround, you may set the hard RLIMIT_STACK and RLIMIT_AS of your local users and remote services to some reasonably low values.”
You should be aware that the workaround doesn’t make a server invulnerable to the attack. If the limits are too low, legitimate applications will be unable to run. Updating immediately is the best and safest way to mitigate the risk.