Linux kernel: CVE-2017-6074 – local privilege escalation in DCCP

Profile image of Mattias Geniar

Mattias Geniar, February 22, 2017

Follow me on Twitter as @mattiasgeniar

Patching time, again.

This is an announcement about CVE-2017-6074 [1] which is a double-free

vulnerability I found in the Linux kernel. It can be exploited to gain

kernel code execution from an unprivileged processes.

[oss-security] Linux kernel: CVE-2017-6074: DCCP double-free vulnerability (local root)

This privilege escalation exploit is active on pretty much every kernel in use out there. CentOS 5, 6 and 7 are vulnerable according to the kernel versions.

The oldest version that was checked is 2.6.18 (Sep 2006), which is

vulnerable. However, the bug was introduced before that, probably in

the first release with DCCP support (2.6.14, Oct 2005).

The kernel needs to be built with CONFIG_IP_DCCP for the vulnerability

to be present. A lot of modern distributions enable this option by

default.

[oss-security] Linux kernel: CVE-2017-6074: DCCP double-free vulnerability (local root)

Red Hat’s bug tracker provides some mitigation tactics without updating the kernel and rebooting your box.

Recent versions of Selinux policy can mitigate this exploit. The steps below will work with SElinux enabled or disabled.

As the DCCP module will be auto loaded when required, its use can be disabled

by preventing the module from loading with the following instructions.

# echo "install dccp /bin/true" >> /etc/modprobe.d/disable-dccp.conf 

The system will need to be restarted if the dccp modules are loaded. In most circumstances the dccp kernel modules will be unable to be unloaded while any network interfaces are active and the protocol is in use.

If you need further assistance, see this KCS article ( https://access.redhat.com/solutions/41278 ) or contact Red Hat Global Support Services.

(CVE-2017-6074) CVE-2017-6074 kernel: use after free in dccp protocol

More details are hidden behind Red Hat’s subscription wall, but the mitigation tactic shown above should be sufficient in most cases.

In fact, there don’t seem to be updated kernel packages for CentOS just yet, so the above is – at the time of writing – the only mitigation tactic you have.



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.