In 2010, Linux kernel developers added a new memory stack protection capability called Stack Guard to help limit the risk of a vulnerability identified as CVE-201-2240.
As it turns out, the Stack Guard mitigation isn’t entirely complete, according to security firm Qualys, potentially enabling a local attacker to escalate privileges. Qualys is calling the Stack Guard flaw Stack Clash, which actually refers to two specific vulnerabilities: CVE-2017-1000364 for the Linux kernel and CVE-2017-10000366 for glibc.
There is no public evidence that the Stack Clash flaw has ever been exploited by hackers as of yet, and there are now patches available in upstream open-source projects and from the major Linux distribution vendors, including Red Hat.
In its advisory on the Stack Clash issue, Red Hat explained that the stack guard page was originally meant as a protection against sequential memory access.
“The reporter (Qualys) found ways to reintroduce CVE-2010-2240 in generic binaries not by causing sequential stack overflow (and thus running into the stack guard page), but by leveraging certain constructs in stack memory allocation, as performed by common binaries, to ‘jump’ over the stack guard page and again be able to access memory in the adjacent memory region without causing an invalid access,” Red Hat’s advisory explained. “This results in overlapping stack with another memory region (usually heap) and thus stack memory access is reflected into the heap and vice versa.”
There are multiple Linux Security Modules (LSMs) available in Linux distributions, including SELinux and AppArmor that can often provide additional mitigation capabilities for potential risks. That said, with Stack Clash, Red Hat security program manager Chris?Robinson told eSecurityPlanet that SELinux would not have been able to stop a Stack Clash attack.
The Stack Clash vulnerability is the second Linux exploit discovered and reported by Qualys in as many month. On May 30, Qualys reported a privilege escalation in the Linux SUDO command identified as CVE-2017-1000367.
“If CVE-2017-1000367 is combined with the Stack Clash, any local user (not just Sudoers) can exploit Sudo to obtain full root privileges on any vulnerable Linux system (not just SELinux systems),” Qualys wrote in its advisory. “Because CVE-2017-1000367 was exploitable independently of the Stack Clash, we (and the affected vendors) decided to not wait for the June 19 Coordinated Release Date and published it on May 30”
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.