Linux kernel gets patch for 11-year-old local-root-hole security bug
DCCP code cockup lay unnoticed since 2005
Eleven years ago or thereabouts, the Linux kernel got support for the Datagram Congestion Control Protocol – and also got a privilege escalation bug that has just been fixed.
Like basically every root hole, this flaw can be potentially exploited by software on a vulnerable device, or logged-in users, to gain root-level access and fully compromise the computer. It can be chained with remote-code execution vulnerabilities to take over a box from across the network or internet.
Kernel developer Andrey Konovalov announced the fix for the bug on the Open Source Security Mailing List, explaining the programming blunder probably dates to October 2005 when Linux first got Datagram Congestion Control Protocol (DCCP) support.
The problem is how the DCCP code handles a socket buffer (skb). “An skb for a DCCP_PKT_REQUEST packet is forcibly freed via __kfree_skb in dccp_rcv_state_process if dccp_v6_conn_request successfully returns,” Konovalov writes.
The bug is that the skb's address is saved and its reference counter incremented after it's been freed – yes, this is a use-after-free.
With an exploit, he writes: “An attacker can control what object that would be and overwrite its content with arbitrary data by using some of the kernel heap spraying techniques. If the overwritten object has any triggerable function pointers, an attacker gets to execute arbitrary code within the kernel.”
The code for the fix is here. Users are advised to update the software on their system as soon as the patch lands in their distro. You should also check to see if the buggy DCCP support is actually present in your kernel. If it's not compiled in, or if you can remove it as a module, you will avoid the bug. If it is compiled in, you'll need to sort that out. Running the usual update cycle should bring in the patch. ®