The Linux kernel is vulnerable to a local privilege escalation vulnerability, CVE-2017-6074. A local attacker can achieve root access by sending a crafted packet to a socket which handles IPv6 on the system.
- Local user exploits use-after-free vulnerability in Linux kernel via a kernel heap spraying technique.
- If the overwritten object has any trigger function pointers, the attacker can execute code within the kernel.
- Local unprivileged account on the vulnerable system.
- CONFIG_IP_DCCP needs to be built in the kernel.
There is a use-after-free vulnerability in the Linux Kernel. It resides within the DCCP implementation which frees SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local attacker can leverage this vulnerability to escalate their privileges to root on the vulnerable system. From this point the attacker can affect the confidentiality, integrity, and availability of the system’s data.
Note: Unsuccessful attempts will cause the kernel to crash, creating a Denial of Service (DOS) condition.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch™ for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
Upon discovery of a successful exploit, customers are expected to take normal reasonable action in accordance with their own standard operating procedures, such as:
- Isolate the compromised device from the network
- Wipe and reinstall the device from secure media
- Patch the vulnerability from a trusted source (or otherwise mitigate with FW, config, etc.)
- Replace data from backups
- Restrict access to trusted users on the system
- Test the device
- Return the compromised device to the network and full operation