Linux Kernel Flaw Coughs Up Root Rights

win32sux · 10-21-2010, 11:42 PM

Quote:

The open-source Linux operating system contains a serious security flaw that can be exploited to gain superuser rights on a target system.

The vulnerability, in the Linux implementation of the Reliable Datagram Sockets (RDS) protocol, affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included.

According to VSR Security, the research outfit that discovered the security hole, Linux installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions.

Complete Article

Thanks to Slashdot for covering this.

kbp · 10-22-2010, 01:02 AM

Yeah .. I tested this yesterday, pain in the bum. Here's a quick remediation for Red Hat based distros:

Code:

modprobe -r rds

cat <<EOF> /etc/modprobe.d/disable-rds.conf 
install net-pf-21 /bin/true
EOF

H_TeXMeX_H · 10-22-2010, 08:10 AM

Interesting, however:

Code:

bash-4.1$ zcat /proc/config.gz | grep CONFIG_RDS
# CONFIG_RDS is not set

MensaWater · 10-22-2010, 08:30 AM

Redhat's reference to this is at:
http://www.redhat.com/security/data/...2010-3904.html

It references a bugzilla entry at Redhat. The security response to that says:

Quote:

Statement:

The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat
Enterprise MRG did not include support for the RDS Protocol, and therefore are
not affected by this issue. Future kernel updates in Red Hat Enterprise Linux 5
may address this flaw.

Mitigation:

For users that do not run applications that use RDS, you can prevent the rds
module from being loaded by adding the following entry to the end of the
/etc/modprobe.d/blacklist file:

blacklist rds

This way, the rds module cannot be loaded accidentally, which may occur if an
application that requires RDS is started. A reboot is not necessary for this
change to take effect but do make sure the module is not loaded in the first
place. You can verify that by running:

lsmod | grep rds

You may also consider removing the CAP_SYS_MODULE capability from the current
global capability set to prevent kernel modules from being loaded or unloaded.
The CAP_SYS_MODULE has a capability number of 16 (see linux/capability.h). The
default value has all the bits set. To remove this capability, you have to
clear the 16th bit of the default 32-bit value, e.g. 0xffffff ^ (1 << 16):

echo 0xFFFEFFFF > /proc/sys/kernel/cap-bound

Since CentOS is downstream of RHEL the above should be true for it as well.

If you're using Fedora you'd probably want to see what they say about it since they typically use higher kernel levels than RHEL.

On checking all my Linux systems I don't see rds loaded. I'm not sure what applications rely on rds but apparently we aren't running any currently.