The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Linux kernel: privilege elevation via PTRACE_SETREGS

Synthesis of the vulnerability 

A local attacker can create a program using ptrace(), in order to alter the execution procedure, to elevate his privileges.
Impacted systems: Debian, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity of this alert: 2/4.
Creation date: 18/02/2013.
Références of this alert: BID-57986, CERTA-2013-AVI-155, CERTA-2013-AVI-454, CVE-2013-0871, DSA-2632-1, ESX400-201310001, ESX400-201310401-SG, ESX400-201310402-SG, ESX410-201307001, ESX410-201307401-SG, ESX410-201307403-SG, ESX410-201307404-SG, ESX410-201307405-SG, openSUSE-SU-2013:0396-1, openSUSE-SU-2013:0925-1, openSUSE-SU-2013:0927-1, RHSA-2013:0567-01, RHSA-2013:0621-01, RHSA-2013:0622-01, RHSA-2013:0661-01, RHSA-2013:0662-01, RHSA-2013:0695-01, RHSA-2013:0741-01, SUSE-SU-2013:0341-1, SUSE-SU-2013:0674-1, SUSE-SU-2013:0786-1, VIGILANCE-VUL-12431, VMSA-2013-0009, VMSA-2013-0009.2.

Description of the vulnerability 

The systrace() system call tracks and controls the execution of a process. The PTRACE_GETREGS and PTRACE_SETREGS options obtain and change values in registers.

When a process receives the SIGKILL signal, it stops. However, when the schedule() function runs, if the tracer process alters registers with PTRACE_SETREGS, values which are unstacked contain an incorrect RIP (address of the next instruction).

A local attacker can therefore create a program using ptrace(), in order to alter the execution procedure, to elevate his privileges.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability impacts software or systems such as Debian, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX.

Our Vigil@nce team determined that the severity of this security announce is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer vulnerability note.

Solutions for this threat 

Linux kernel: version 3.7.5.
The version 3.7.5 is fixed:
  http://www.kernel.org/pub/linux/kernel/v3.0/

Linux kernel: version 3.4.28.
The version 3.4.28 is fixed:
  http://www.kernel.org/pub/linux/kernel/v3.0/

Linux kernel: version 3.2.39.
The version 3.2.39 is fixed:
  http://www.kernel.org/pub/linux/kernel/v3.0/

Linux kernel: version 2.6.32.61.
The version 2.6.32.61 is fixed:
  https://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/

Linux kernel: patch for PTRACE_SETREGS.
A patch is available in information sources.

Debian: new linux-2.6 packages.
New packages are available:
  linux-2.6 2.6.32-48squeeze1

openSUSE 11.4: new kernel-3.0.58 packages (10/06/2013).
New packages are available:
  kernel-3.0.58-30.2

openSUSE 11.4: new kernel-3.0.74 packages (10/06/2013).
New packages are available:
  kernel-3.0.74-34.1

openSUSE 12.1: new kernel packages.
New packages are available:
  kernel-3.1.10-1.19.1

RHEL 5.6: new kernel packages.
New packages are available:
  kernel-2.6.18-238.49.1.el5

RHEL 5: new kernel packages.
New packages are available:
  kernel-2.6.18-348.3.1.el5

RHEL 6.1: new kernel packages.
New packages are available:
  kernel-2.6.32-131.38.1.el6

RHEL 6.2: new kernel packages.
New packages are available:
  kernel-2.6.32-220.34.1.el6

RHEL 6.3: new kernel packages.
New packages are available:
  kernel-2.6.32-279.23.1.el6

RHEL 6 MRG: new kernel-rt packages.
New packages are available:
  kernel-rt-3.6.11-rt30.25.el6rt

RHEL 6: new kernel packages.
New packages are available:
  kernel-2.6.32-358.0.1.el6

SUSE LE 10: new kernel packages.
New packages are available:
  kernel-2.6.16.60-0.101.1

SUSE LE 11: new kernel packages.
New packages are available:
  kernel-3.0.58-0.6.6.1

SUSE LE Real Time: new kernel-rt packages.
New packages are available:
  kernel-rt-3.0.74.rt98-0.6.2.1

VMware ESX 4.0: patch ESX400-201310001.
A patch is available:
  ESX400-201310001.zip
  http://kb.vmware.com/kb/2059490

VMware ESX 4.1: patch ESX410-201307001.
A patch is available:
  http://kb.vmware.com/kb/2053393
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a network vulnerability patch. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.