ALERT: Patch to address vulnerability in Linux (CVE-2017-6074)

Thursday, February 23, 2017

This information was sent to several U-M IT staff groups on February 23, 2017. It is intended U-M IT staff who are responsible for university systems running Linux.

Summary: 

A vulnerability affecting the Linux kernel's Datagram Congestion Control Protocol (DCCP) IPv6 implementation allows an attacker to create a situation where memory can be overwritten with malicious instructions. An attacker must have access to a local account on the system and both DCCP and IPv6 must be enabled, which is the default on most major Linux distributions. Action should be taken quickly to mitigate this vulnerability on vulnerable systems.

Problem: 

A non-privileged user can use this Linux kernel vulnerability to gain root access on vulnerable systems. Shared systems that allow logins from users who should not have root access are exposed to exploitation of this vulnerability. Proof-of-concept (POC) code is expected to be made publicly available within a few days if it is not already available.

Affected Versions: 

All the major Linux distributions, including Debian, OpenSUSE, Redhat, and Ubuntu are vulnerable. Check these vendor sites for information about the vulnerability and patch availability:

For all Linux systems that have IPv6 and DCCP support, kernel version 2.6.18 (Sep 2006) and later versions are known to be vulnerable if DCCP and IPv6 are enabled. Currently-available information indicates that the bug was introduced before that, probably in the first release with DCCP support (2.6.14, Oct 2005).

Action Items: 

Complete kernel patching after appropriate testing as soon as a patch is available. A reboot will be required following patching. Prioritize shared systems that allow logins from users who should not have local root access.

If immediate patching is not possible, consider disabling the DCCP kernel module. The following method is recommended for some distributions, but please see your Linux distribution’s documentation to determine the recommended methods for disabling kernel modules.

# echo "install dccp /bin/true">> /etc/modprobe.d/disable-dccp.conf

If the DCCP kernel module is already loaded, a reboot will likely be necessary to protect the system after making that change.

Threats: 

Proof-of-concept (POC) code is expected to be publicly available within a few days if it is not already available. This flaw allows an attacker with an account on the local system to potentially elevate privileges. Successful exploitation may result in crashing of the host kernel, potential execution of code in the context of the host kernel or other escalation of privilege by modifying kernel memory structures.

Technical Details: 

A use-after-free flaw was found in the way the Linux kernel's DCCP implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system.

Detection: 

A Linux system is vulnerable if the kernel was compiled with DCCP and IPv6 support and the kernel version is earlier than the fixed version. On most systems, compilation of the kernel with DCCP and IPv6 support will result in the creation of the file /lib/modules/[KERNEL VERSION]/kernel/net/dccp/dccp_ipv6.ko

This file will also exist on patched systems, so check with your Linux distribution to find the kernel version or kernel package version that fixes this vulnerability.

Information for Users: 

Linux systems managed by ITS will be patched or reconfigured as soon as possible. If you manage Linux devices for yourself or others, please patch or reconfigure as soon as possible.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing, and Suspicious Email, Secure Your Devices, and Use a Secure Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.