Privilege escalation in Linux: Local users can read foreign files
The vulnerability was known for years, fixed Thursday. Hours later, an exploit is available as the kernel team prepares countermeasures.
(Image: Tux by Larry Ewing/GIMP)
This is the fourth security vulnerability in just a few days that allows Linux users to escalate their privileges. A security researcher nicknamed _SiCK published several examples on Github that exploit a flaw in the Linux kernel's memory management to win a race condition.
The example (Proof of Concept – PoC) with arguably the strongest impact is ssh-keysign-pwn, which reads the machine's SSH private key. Under normal circumstances, this is only readable by the root user. Further PoC exploits exist for "chage," which reads the password file /etc/shadow during its execution – and are in principle conceivable for any other executable file that runs with root privileges (setuid root).
The security vulnerability is hidden deep within the Linux kernel's memory and process management. The ptrace_may_access() function fails too openly (fail open) for processes that are being terminated. If the exploit wins a race condition, it can read files that were previously opened by the dying process, such as /etc/shadow or /etc/ssh/ssh_host_key, despite lacking permissions.
The error was discovered by the security company Qualys and fixed by Linux maintainer Torvalds late on Thursday afternoon. Shortly thereafter, grsecurity founder Brad Spengler became aware of the error, dedicated a brief analysis to it on the social network X, and thus sparked the ambition of security researcher _SiCK. The security vulnerability has not yet been assigned a CVE identifier.
The error had already been noticed several years ago by Google security expert Jann Horn, who had provided a suggestion for a fix at the time. However, it was not implemented.
Videos by heise
Big button for kernel releases
Meanwhile, kernel maintainer Greg Kroah-Hartman wrote on Fediverse that he had improved his equipment. He now has a “big button” on his desk to trigger the release of a new kernel version. The button would have been helpful to start today's kernel releases, Hartman continues, with a touch of self-irony. In fact, Linux kernel 7.0.8 exclusively contains the bug fix for the security vulnerability exploited by ssh-keysign-pwn.
The large and small Linux distributions will now have to package and deliver the fix in new kernel packages, which typically takes some time. Until then, system administrators can at least provide a workaround for all previously known cases of the security vulnerability using the command “echo 3 > /proc/sys/kernel/yama/ptrace_scope”.
(cku)
