Vulnerability Note VU#470151

Linux Kernel local privilege escalation via SUID /proc/pid/mem write

Original Release date: 27 Jan 2012 | Last revised: 24 Jul 2014

Overview

Linux kernel >= 2.6.39 incorrectly handles the permissions for /proc/<pid>/mem. A local, authenticated attacker could exploit this vulnerability to escalate to root privileges. Exploit code is available in the wild and there have been reports of active exploitation.

Description

/proc/<pid>/mem is an interface for reading and writing to process memory. The protections to protect unprivileged users from writing to process memory were found to be insufficient and have resulted in exploitation of the interface. By writing to the memory of a suid process, an attacker can run arbitrary code with root privileges. Further technical details can be found on Jason A. Donenfeld's ZX2C4 blog post.

Impact

A local, authenticated attacker may be able to gain root privileges on the system.

Solution

Apply an update

Patch commit e268337dfe26dfc7efd422a804dbb27977a3cccc has been provided by Linus Torvalds to address this vulnerability. Kernel image 3.0.18 and 3.2.2 have included this commit so far.

Users who obtain the Linux kernel from a third-party vendor, such as their operating system vendor, should see the vendor information portion of this document for a partial list of affected vendors.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
CentOSAffected-27 Jan 2012
Gentoo LinuxAffected-28 Jan 2012
Red Hat, Inc.Affected-27 Jan 2012
UbuntuAffected-27 Jan 2012
Debian GNU/LinuxNot Affected-27 Jan 2012
Slackware Linux Inc.Unknown-27 Jan 2012
SUSE LinuxUnknown-27 Jan 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.8 AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal 5.6 E:F/RL:OF/RC:C
Environmental 5.6 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Jüri Aedla reported this vulnerability to the Linux kernel developers.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2012-0056
  • Date Public: 17 Jan 2012
  • Date First Published: 27 Jan 2012
  • Date Last Updated: 24 Jul 2014
  • Severity Metric: 15.32
  • Document Revision: 14

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.