Security Alert: possible privilege escalation in Linux < 3.14.4

[musca]

Hello dear siductians!

There is a CVE for recent linux kernel: a race condition leads to DoS or privilege escalation.
If you want to take action please do a dist-upgrade or install linux-image-3.14-3.towo.2-siduction-[amd64|686|686-pae] and its headers.
You need to reboot into the new kernel.

Thanks towo` for quickly uploading a patched kernel. Well done!

greetings
musca

[Edit]
not affected kernel versions: 
3.14-3.towo.2
3.14-4
3.15.rc5

[bluelupo]

@towo: Really very quick to respond to the error in the kernel. Good work!

[terroreek]

Thank you Towo.

[ayla]

fix not available on the uni-stuttgart mirror at the moment, who want's to upgrade immediatly should use berlin.

[melmarker]

habe ich den bug richtig verstanden? Diese lokale Sache? Ist Update-Panik da nich ein wenig fehl am Platz und eventuell übertrieben?

Please, don't panic.

[michaa7]

Thanks towo, good work.

But melma(r)ker is right, don't panic, it's only localy triggerable, dude ;-)

But it seems, it is triggarabble if someone gets remote access as user (via a buggy webserver or the like. See here (german only, sorry): Kernels since 2.36.1-rc3 are affected!

Still, pached kernel very much appreciated!

(And if you don't find the kernel, it's 686, not i386 at the end of the name)

[musca]

Hello,

Only few attacks do knock out the security by simple "remote code execution with root rights" in one step. Many attacks include a two step approach:  First take control of users code execution, then gain root privilege.

Now imagine how hackers will prepare such attacks: They silently are developing their methods to activate their own code and then they are waiting for the opportunity to become root. Not patching a known privilege escalation bug makes it easier for them to attack their target systems.

I think the alert shows our responsiveness and as a result there is no panic.
Doing a dist-upgrade or installing a kernel is just standard procedure.
@michaa7, thanks for the hint, i'll update the name.

greetings
musca

[musca]

Hello,

i was courious about the sample exploitcode and tried it.
I created a snapshot of my virtualmachine, so i can easily delete the compromized state afterwards.

In the first attempt the virtual machine has frozen, but in the second attempt:

Code: [Select]

user@sidubox:~/cve$ gcc cve-2014-0196-md.c -lutil -lpthread
user@sidubox:~/cve$ ./a.out
[+] Resolving symbols
[+] Resolved commit_creds: 0xffffffff8105e5bb
[+] Resolved prepare_kernel_cred: 0xffffffff8105e8af
[+] Doing once-off allocations
[+] Attempting to overflow into a tty_struct....
[+] Got it :)
root@sidubox:~/cve# whoami
root
root@sidubox:~/cve# id
uid=0(root) gid=0(root) Gruppen=0(root)
root@sidubox:~/cve# uname -a
Linux sidubox 3.14-3.towo-siduction-amd64 #1 SMP PREEMPT Tue May 6 20:46:12 UTC 2014 x86_64 GNU/Linux
root@sidubox:~/cve# It took quite some some seconds of time.

Now reverting to the clean snapshot.
greetings
musca