The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Linux kernel: privilege escalation via IPC

Synthesis of the vulnerability

A local attacker can manipulate IPC on the Linux kernel, in order to escalate his privileges.
Severity of this bulletin: 2/4.
Creation date: 02/10/2015.
Références of this threat: CERTFR-2015-AVI-419, CERTFR-2015-AVI-430, CERTFR-2015-AVI-498, CVE-2015-7613, DSA-3372-1, FEDORA-2015-d7e074ba30, FEDORA-2015-dcc260f2f2, JSA10853, K90230486, RHSA-2015:2152-02, RHSA-2015:2411-01, RHSA-2015:2587-01, RHSA-2015:2636-01, SB10146, SOL90230486, SUSE-SU-2015:1727-1, SUSE-SU-2015:2084-1, SUSE-SU-2015:2085-1, SUSE-SU-2015:2086-1, SUSE-SU-2015:2087-1, SUSE-SU-2015:2089-1, SUSE-SU-2015:2090-1, SUSE-SU-2015:2091-1, USN-2761-1, USN-2762-1, USN-2763-1, USN-2764-1, USN-2765-1, USN-2792-1, USN-2796-1, VIGILANCE-VUL-18021.

Description of the vulnerability

The shmget() system call creates a shared memory segment with IPC_CREAT, so two processes can communicate via IPC.

The newque() function of the ipc/msg.c function of the Linux kernel creates this segment. However, it calls ipc_addid() too soon, so the uid associated to the segment is incorrect.

A local attacker can therefore manipulate IPC on the Linux kernel, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

This computer threat note impacts software or systems such as Debian, BIG-IP Hardware, TMOS, Fedora, NSM Central Manager, NSMXpress, Linux, McAfee NSP, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this weakness alert is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer weakness note.

Solutions for this threat

Linux kernel: patch for IPC.
A patch is indicated in information sources.

Debian: new linux packages (13/10/2015).
New packages are available:
  Debian 7: linux 3.2.68-1+deb7u5
  Debian 8: linux 3.16.7-ckt11-1+deb8u5

F5 BIG-IP: solution for Linux CVE-2015-7613.
The solution is indicated in information sources.

Fedora: new kernel packages.
New packages are available:
  Fedora 21: kernel 4.1.10-100.fc21
  Fedora 22: kernel 4.1.10-200.fc22

Juniper NSM: solution for CentOS.
The solution is indicated in information sources.

McAfee Network Security Platform: fixed versions for Linux IPC.
Fixed versions are indicated in information sources.

RHEL 6: new kernel packages.
New packages are available:
  RHEL 6: kernel 2.6.32-573.12.1.el6

RHEL 7.1: new kernel packages.
New packages are available:
  RHEL 7: kernel 3.10.0-229.24.2.el7

RHEL 7: new kernel packages (20/11/2015).
New packages are available:
  RHEL 7: kernel 3.10.0-327.el7

RHEL 7: new kernel-rt packages.
New packages are available:
  RHEL 7: kernel-rt 3.10.0-327.rt56.204.el7

SUSE LE 12: new kernel packages (13/10/2015).
New packages are available:
  SUSE LE 12 RTM: kernel 3.12.48-52.27.1

SUSE LE Live Patching 12: new kgraft-patch packages.
New packages are available:
  SUSE LE 12 RTM: kgraft-patch 3_12_44-52_18-default-2-4.1, kgraft-patch 3_12_44-52_10-default-2-2.1, kgraft-patch 3_12_43-52_6-default-3-2.1, kgraft-patch 3_12_39-47-default-3-2.1, kgraft-patch 3_12_38-44-default-3-2.1, kgraft-patch 3_12_36-38-default-4-2.3, kgraft-patch 3_12_32-33-default-4-2.3

Ubuntu 12.04: new linux-image-3.2.0 packages.
New packages are available:
  Ubuntu 12.04 LTS: linux-image-3.2.0-93-generic 3.2.0-93.133, linux-image-3.2.0-1473-omap4 3.2.0-1473.95

Ubuntu: new linux-image packages.
New packages are available:
  Ubuntu 12.04 LTS: linux-image-3.13.0-65-generic 3.13.0-65.106~precise1
  Ubuntu 14.04 LTS: linux-image-3.19.0-30-generic 3.19.0-30.34~14.04.1, linux-image-3.13.0-65-generic 3.13.0-65.106, linux-image-3.16.0-50-generic 3.16.0-50.67~14.04.1
  Ubuntu 15.04: linux-image-3.19.0-30-generic 3.19.0-30.34
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides cybersecurity alerts. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.