Linux Kernel Privilege Escalation Vulnerability Found in RDS Over TCP

A memory corruption vulnerability recently found in Linux Kernel’s implementation of RDS over TCP could lead to privilege escalation. 

Tracked as CVE-2019-11815 and featuring a CVSS base score of 8.1, the flaw impacts Linux kernels prior to 5.0.8, but only systems that use the Reliable Datagram Sockets (RDS) for the TCP module.

The issue, a NIST advisory reveals, is a race condition that affects the kernel’s rds_tcp_kill_sock in net/rds/tcp.c. The bug leads to a use-after-free, related to net namespace cleanup, the advisory reveals. 

“A system that has the rds_tcp kernel module loaded (either through autoload via local process running listen(), or manual loading) could possibly cause a use after free (UAF) in which an attacker who is able to manipulate socket state while a network namespace is being torn down,” the Red Hat advisory on this bug reads. 

Apparently, the vulnerability can be exploited over the network and requires no privileges or user interaction, although the complexity of a successful attack is rather high. An attacker could abuse the issue to access restricted information or cause denial of service. 

According to Seth Arnold from Ubuntu’s security team, although the bug is said to be remotely exploitable, there doesn’t appear to be evidence to sustain that. 

“Blacklisting rds.ko module is probably sufficient to prevent the vulnerable code from loading. The default configuration of the kmod package has included RDS in /etc/modprobe.d/blacklist-rare-network.conf since 14.04 LTS,” he notes. 

Suse too notes that the attack vector is local and considers that the vulnerability’s base severity score should be lower (6.4). Debian has issued an advisory as well.

Related: Intel MDS Vulnerabilities: What You Need to Know

Related: DoS Vulnerabilities Impact Linux Kernel

Related: Google Project Zero Discloses New Linux Kernel Flaw

Related: Siemens Warns of Linux, GNU Flaws in Controller Platform