Time to Patch: 'Stack Clash' Vulnerability Affects Wide Range of Unix-like OSes
Researchers haven't yet been able to remotely execute the vulnerability, but they haven't ruled out the possibility.
June 20, 2017
There's a new exploit in town that affects a variety of Unix-like operating systems, including Linux, OpenBSD, NetBSD, FreeBSD and Solaris running on 32-bit and 64-bit x86. According to Qualys, which discovered the flaw, other operating systems and architectures may also be vulnerable as well, but haven't been researched yet. Evidently the exploit was discovered back in May but wasn't made public until Monday to enable devs and vendors time to develop patches, which are now available.
The exploit -- which has been assigned two CVE names, CVE-2017-1000364 for the Linux kernel and CVE-2017-1000366 for glibc -- goes by the human readable name Stack Clash, because "the first step in exploiting this vulnerability is to collide, or clash, the stack with another memory region," according to Qualys.
We've been here before. The new vulnerably seems to get around protections put in place to protect against against a similar earlier issue. Basically, it bypasses the stack guard-page added to Linux in 2010 after attacks in 2005 and 2010 targeted the stack, a memory management region. This region is designed to expand when an application requires more stack memory, and therein lies the problem. As Qualys explained in an advisory: "If another memory region is mapped directly below the stack, then the stack-pointer can move from the stack into the other memory region without raising a page-fault."
So far, the folks at Qualys have developed 14 exploits and proof-of-concept attack code taking advantage of the fault, some of which utilize other vulnerabilities. For example, by combining this vulnerability with a recently fixed flaw in Sudo -- also discovered by Qualysis -- that was thought to only pose a problem for SELinux, it's possible to obtain full root privileges on other Linux distributions. The good news is that so far Qualysis hasn't been able to remotely execute code by taking advantage of the exploit, although they caution that remote execution may yet prove to be possible.
Patches are available and are being rushed out the door by most of the affected operating systems. However, reading between the lines, they seem to be meant as a temporary fix, and there's a minor issue with the kernel patch "which creates overlapping values in /proc/meminfo," according to Red Hat. "This should not affect the functional application of the system and protection provided by the kernel."
For those who don't wish to apply the patches, Qualys offers a possible temporary workaround:
"[Y]ou may set the hard RLIMIT_STACK and RLIMIT_AS of your local users and remote services to some reasonably low values. Use this workaround at your own risk, however: most likely your limits will not be low enough to resist all attacks (for example, in some cases our Sudo stack-clash exploit allocates merely 137MB of heap memory, and almost no stack memory); or your limits will be too low and will break legitimate applications."
My advice? Don't mess with the workaround. If you're running a Unix-based operating system, check with the developer or your vendor and apply the patches.
About the Author
You May Also Like