Linux kernel: CVE-2017-6074 – local privilege escalation in DCCP

Mattias Geniar, Wednesday, February 22, 2017

Patching time, again.

This is an announcement about CVE-2017-6074 [1] which is a double-free
vulnerability I found in the Linux kernel. It can be exploited to gain
kernel code execution from an unprivileged processes.

[oss-security] Linux kernel: CVE-2017-6074: DCCP double-free vulnerability (local root)

This privilege escalation exploit is active on pretty much every kernel in use out there. CentOS 5, 6 and 7 are vulnerable according to the kernel versions.

The oldest version that was checked is 2.6.18 (Sep 2006), which is
vulnerable. However, the bug was introduced before that, probably in
the first release with DCCP support (2.6.14, Oct 2005).

The kernel needs to be built with CONFIG_IP_DCCP for the vulnerability
to be present. A lot of modern distributions enable this option by
default.

[oss-security] Linux kernel: CVE-2017-6074: DCCP double-free vulnerability (local root)

Red Hat's bug tracker provides some mitigation tactics without updating the kernel and rebooting your box.

Recent versions of Selinux policy can mitigate this exploit. The steps below will work with SElinux enabled or disabled.

As the DCCP module will be auto loaded when required, its use can be disabled
by preventing the module from loading with the following instructions.

 # echo "install dccp /bin/true" >> /etc/modprobe.d/disable-dccp.conf 

The system will need to be restarted if the dccp modules are loaded. In most circumstances the dccp kernel modules will be unable to be unloaded while any network interfaces are active and the protocol is in use.

If you need further assistance, see this KCS article ( https://access.redhat.com/solutions/41278 ) or contact Red Hat Global Support Services.

(CVE-2017-6074) CVE-2017-6074 kernel: use after free in dccp protocol

More details are hidden behind Red Hat's subscription wall, but the mitigation tactic shown above should be sufficient in most cases.

In fact, there don't seem to be updated kernel packages for CentOS just yet, so the above is -- at the time of writing -- the only mitigation tactic you have.



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek, public speaker and podcaster. Currently working on DNS Spy. Follow me on Twitter as @mattiasgeniar.

I respect your privacy and you won't get spam. Ever.
Just a weekly newsletter about Linux and open source.

SysCast podcast

In the SysCast podcast I talk about Linux & open source projects, interview sysadmins or developers and discuss web-related technologies. A show by and for geeks!

cron.weekly newsletter

A weekly newsletter - delivered every Sunday - for Linux sysadmins and open source users. It helps keeps you informed about open source projects, Linux guides & tutorials and the latest news.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

jose Thursday, February 23, 2017 at 18:19

hello,

How can i know if i have dccp?.

thanks and regards

Reply


Mattias Geniar Friday, February 24, 2017 at 10:54

The simplest way to see if it’s loaded;

$ lsmod | grep dccp

If the module is loaded, chance are you’re using it.

To see more info on the module (details on where it’s located etc.), try modinfo.

$ modinfo dccp
filename:       /lib/modules/2.6.32-642.6.2.el6.x86_64/kernel/net/dccp/dccp.ko
description:    DCCP - Datagram Congestion Controlled Protocol
author:         Arnaldo Carvalho de Melo 
license:        GPL
srcversion:     71CA3F011BC23EF970AF27E
depends:
vermagic:       2.6.32-642.6.2.el6.x86_64 SMP mod_unload modversions
parm:           thash_entries:Number of ehash buckets (int)

Reply


Leave a Reply

Your email address will not be published. Required fields are marked *