The Linux kernel has been found to have a significant vulnerability in its handling of Position Independent Executables (PIE), specifically in the load_elf_binary function. This flaw allows local attackers to corrupt the stack buffer, leading to a potential privilege escalation. By exploiting this vulnerability, an attacker could gain unauthorized access to elevated system permissions, potentially gaining control over the system. This presents a substantial security risk, particularly in environments where local access to the system may already be available.
The flaw affects several versions of the Linux kernel, particularly those that include the load_elf_binary function. Affected systems include Red Hat Enterprise Linux 5 and 6, as well as certain versions of RHEL 7, prior to kernel version 3.10.0-693. In addition, the issue extends to Linux kernel-rt packages for real-time applications. Systems running these vulnerable versions are at risk, especially if they have privileged PIE binaries that can be exploited by a local user to escalate privileges.
To mitigate this vulnerability, system administrators are advised to upgrade to the patched versions of the Linux kernel that address the flaw. For affected versions, Red Hat has released kernel updates and security patches. Additionally, it is crucial for users to implement strict access controls to limit potential exploitation, as well as use system monitoring tools to detect any signs of privilege escalation attempts. These measures will help prevent the vulnerability from being exploited and protect sensitive system resources.
As an immediate workaround, users can mitigate the risk by setting vm.legacy_va_layout = 1 in their system’s configuration. This adjustment switches the system to a legacy memory layout that places the stack and PIE executable mappings far apart, effectively preventing exploitation. However, caution is advised, as this solution may interfere with applications that require large address spaces, such as certain databases. Therefore, thorough testing is recommended before implementing this workaround in production systems.
Reference:
