[kernel-xen] Kernel Local Privilege Escalation - CVE-2016-5195

Steven Haigh netwiz at crc.id.au
Fri Oct 21 01:01:20 AEDT 2016 

(Reproduced below)

Red Hat Product Security has been made aware of a vulnerability in the
Linux kernel that has been assigned CVE-2016-5195. This issue was
publicly disclosed on October 19, 2016 and has been rated as Important.

Background Information

A race condition was found in the way the Linux kernel's memory
subsystem handled the copy-on-write (COW) breakage of private read-only
memory mappings. An unprivileged local user could use this flaw to gain
write access to otherwise read-only memory mappings and thus increase
their privileges on the system.

This could be abused by an attacker to modify existing setuid files with
instructions to elevate privileges. An exploit using this technique has
been found in the wild.

Impacted Products

The following Red Hat Product versions are impacted:

Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise MRG 2
Attack Description and Impact

This flaw allows an attacker with a local system account to modify
on-disk binaries, bypassing the standard permission mechanisms that
would prevent modification without an appropriate permission set. This
is achieved by racing the madvise(MADV_DONTNEED) system call while
having the page of the executable mmapped in memory.

Take Action

All Red Hat customers running the affected versions of the kernel are
strongly recommended to update the kernel as soon as patches are
available. Details about impacted packages as well as recommended
mitigation are noted below. A system reboot is required in order for the
kernel update to be applied.
----------- END ADVICE -----------

Possible mitigation for the issue:

https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13

This is resolved in kernel-xen-4.4.26-1

-- 
Steven Haigh

Email: netwiz at crc.id.au
Web: https://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.wireless.org.au/pipermail/kernel-xen/attachments/20161021/dc4490d3/attachment.sig>

More information about the kernel-xen mailing list