Approx. read time: 4.6 min.
Post: Linux Kernel Prior to 5.0.8 Vulnerable to Remote Code Execution
The vulnerability affecting Linux kernels prior to version 5.0.8, identified as CVE-2019-11815, is a significant security flaw. It is a race condition leading to a use-after-free error in the net/rds/tcp.c file, which can be exploited for remote code execution (RCE) and denial-of-service (DoS) attacks.
This vulnerability arises when the system attempts to reference memory after it has already been freed. Attackers can exploit this flaw by sending specially crafted TCP packets, causing the system to crash or execute arbitrary code. The issue primarily impacts systems where the Reliable Datagram Sockets (RDS) module is loaded.
The National Institute of Standards and Technology (NIST) assigned this vulnerability a high severity base score of 8.1, indicating significant potential impact. However, the complexity of the exploit reduces its likelihood of being successfully leveraged in real-world attacks, reflected by a lower exploitability score of 2.2.
Linux kernel developers released a patch for this vulnerability in late March 2019, and it was included in the Linux kernel version 5.0.8, released on April 17, 2019. Users running affected versions are strongly advised to update to at least version 5.0.8 or apply the mitigation measures recommended by their Linux distribution providers (BleepingComputer) ((I)IoT Security News) (InfoSec News) (Security Affairs).
Linux Kernel Prior to 5.0.8 Vulnerable to Remote Code Execution.
Update: Added a link HERE to possible mitigation measures as recommended by Red Hat for a local privilege escalation security flaw found in the Reliable Datagram Sockets (RDS) module during 2010.
Update: TrendMicro has a blog post detailing how this vulnerability works in more detail and that the chances of it being exploited are “essentially zero.”
Linux machines running distributions powered by kernels prior to 5.0.8 are affected by a race condition vulnerability leading to a use after free, related to net namespace cleanup, exposing vulnerable systems to remote attacks.
Potential attackers could exploit the security flaw found in Linux kernel’s rds_tcp_kill_sock TCP/IP implementation in net/rds/tcp.c to trigger denial-of-service (DoS) states and to execute code remotely on vulnerable Linux machines.
The attacks can be launched with the help of specially crafted TCP packets sent to vulnerable Linux boxes which can trigger use-after-free errors and enable the attackers to execute arbitrary code on the target system.
The remotely exploitable vulnerability has been assigned a 8.1 high severity base score by NIST’s NVD, it is being tracked as CVE-2019-11815 (Red Hat, Ubuntu, SUSE, and Debian) and it could be abused by unauthenticated attackers without interaction from the user.
Linux Kernel Prior to 5.0.8 Vulnerable to Remote Code Execution
Luckily, because the attack complexity is high, the vulnerability received an exploitability score of 2.2 while the impact score is limited to 5.9.
According to CVSS 3.0 the impact metrics, the CVE-2019-11815 flaw comes with high confidentiality, integrity, and availability impact which makes it possible for would-be attackers to gain access to all resources, modify any files, and deny access to resources after successfully exploiting the vulnerability.
As detailed in the Common Weakness Enumeration (CWE) software security weaknesses database, an Use-After-Free flaw is caused by the attempt to reference memory after it was already been freed, causing the software “to crash, use unexpected values, or execute code.”
The Linux kernel developers issued a patch for the CVE-2019-11815 issue during late-March and fixed the flaw in the Linux kernel 5.0.8 version released on April 17.
Mitigation measures:
Seeing that the vulnerability affects only systems were the Reliable Datagram Sockets (RDS) module is present and loaded, users can check if their Linux-powered machine is impacted and apply the mitigation measures available as part of the CVE-2010-3904 advisory published by Red Hat.
Linux Kernel Prior to 5.0.8 Vulnerable to Remote Code Execution: MiTM vulnerabilities leading to code execution patched in APT
Back in late-January, a code execution flaw impacting the APT high-level package manager used by Debian, Ubuntu, and other related Linux distributions was also patched.
At the time, the vulnerability was described as a “content injection in http method,” it is tracked as CVE-2019-3462, and it leads to man-in-the-middle attacks once exploited, making it possible for attackers to use it later for “code execution with root privileges on the target machine.”
A very similar issue that could lead to arbitrary code execution was also discovered by Google Project Zero’s Jann Horn in December 2016, a flaw which got patched in the 1.0.9.8.4 and 1.4~beta2 versions of APT.
Demonstrating CVE-2020-8835: A Pwn2Own Winning Linux Kernel Privilege Escalation
Hacking a Website with Remote Code Execution!
Related Videos:
Related Posts:
Coding Resources Recommended by Tech Experts
Understanding the dynamics of cyber attacks: Factors Influencing Impact and Mitigation Strategies
Linux Kernel Can Be Exploited Remotely; Kernel Prior To 5.0.8 Affected
How do I activate my Windows 10? and rid myself of the watermark in the bottom right hand side?
What Are the Fundamentals and Differences Between Linux and Unix Operating Systems?
RobbinHood ransomware takes down Baltimore City government networks
10 Visual Studio Code extensions for every developer
B0r0nt0K Ransomware Wants $75,000 Ransom, Infects Linux Servers
Remote code execution vulnerability discovered in WordPress
Java, PHP or .NET Which programming languages will earn you the most?
How to Spy on Competitors with Python & Data Studio
AI and Machine Learning Exploit, Deepfake Videos, Now Harder to Detect
Related Posts
About the Author: Bernard Aybout (Virii8)
