Headline
Researchers Uncover New Linux Kernel 'StackRot' Privilege Escalation Vulnerability
Details have emerged about a newly identified security flaw in the Linux kernel that could allow a user to gain elevated privileges on a target host. Dubbed StackRot (CVE-2023-3269, CVSS score: 7.8), the flaw impacts Linux versions 6.1 through 6.4. There is no evidence that the shortcoming has been exploited in the wild to date. "As StackRot is a Linux kernel vulnerability found in the memory
Linux / Endpoint Security
Details have emerged about a newly identified security flaw in the Linux kernel that could allow a user to gain elevated privileges on a target host.
Dubbed StackRot (CVE-2023-3269, CVSS score: 7.8), the flaw impacts Linux versions 6.1 through 6.4. There is no evidence that the shortcoming has been exploited in the wild to date.
“As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger,” Peking University security researcher Ruihan Li said.
“However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging.”
Following responsible disclosure on June 15, 2023, it has been addressed in stable versions 6.1.37, 6.3.11, and 6.4.1 as of July 1, 2023, after a two-week effort led by Linus Torvalds.
A proof-of-concept (PoC) exploit and additional technical specifics about the bug are expected to be made public by the end of the month.
The flaw is essentially rooted in a data structure called maple tree, which was introduced in Linux kernel 6.1 as a replacement for red-black tree (rbtree) to manage and store virtual memory areas (VMAs), a contiguous range of virtual addresses that could be the contents of a file on disk or the memory a program uses during execution.
UPCOMING WEBINAR
🔐 Privileged Access Management: Learn How to Conquer Key Challenges
Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.
Reserve Your Spot
Specifically, it’s described as a use-after-free bug that could be exploited by a local user to compromise the kernel and escalate their privileges by taking advantage of the fact that the maple tree “can undergo node replacement without properly acquiring the MM write lock.”
“Anyway, I think I want to actually move all the stack expansion code to a whole new file of its own, rather than have it split up between mm/mmap.c and mm/memory.c, but since this will have to be backported to the initial maple tree VMA introduction anyway, I tried to keep the patches _fairly_ minimal,” Torvalds noted.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Ubuntu Security Notice 6250-1 - Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in the Ubuntu Linux kernel did not properly perform permission checks in certain situations. A local attacker could possibly use this to gain elevated privileges. It was discovered that the IP-VLAN network driver for the Linux kernel did not properly initialize memory in some situations, leading to an out-of- bounds write vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6249-1 - Ruihan Li discovered that the memory management subsystem in the Linux kernel contained a race condition when accessing VMAs in certain conditions, leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service or execute arbitrary code. Querijn Voet discovered that a race condition existed in the io_uring subsystem in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
A vulnerability exists in the memory management subsystem of the Linux kernel. The lock handling for accessing and updating virtual memory areas (VMAs) is incorrect, leading to use-after-free problems. This issue can be successfully exploited to execute arbitrary kernel code, escalate containers, and gain root privileges.
Linus Torvalds led a Linux kernel team in developing a set of patches for the privilege escalation flaw.
Debian Linux Security Advisory 5448-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.