Users are encouraged to install the latest security updates or block the flawed module manually to safeguard enterprise and home use of the OS
London (UK). Positive Technologies expert, Alexander Popov, has found and fixed a vulnerability (CVE-2017-2636) in the Linux kernel that allowed local users to gain privilege escalation or cause a denial of service. This issue affects the majority of popular Linux distributions including RHEL 6/7, Fedora, SUSE, Debian, and Ubuntu.
The researcher found a race condition in the n_hdlc driver that leads to double-freeing of kernel memory, which can be exploited for privilege escalation in the operating system. The bug was evaluated as dangerous with a CVSS v3 score of 7.8.
“The vulnerability is old, so it is widespread across Linux workstations and servers,” notes Alexander Popov. “To automatically load the flawed module, an attacker needs only unprivileged user rights. Additionally, the exploit doesn’t require any special hardware.”
The discovered flaw was introduced on June 22, 2009. It was revealed during system calls testing with the syzkaller fuzzer. On February 28, 2017, the researcher reported the vulnerability to kernel.org and attached the patch to fix it and the exploit prototype. On March 7 the CVE-2017-2636 vulnerability was disclosed, and the security updates were published. The bug can also be mitigated manually with special rules that block kernel modules from loading.
Most Commented Posts
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Celebrating Data Privacy Day – 28th January 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Most Active Commenters
Meta’s fine over data privacy breaches underscores the critical challenges…
Hi, Thanks, that is really useful information. I do have…
“This is a very worrying attack that hit T-Mobile and…
“This latest cyberattack against T-Mobile may be smaller than previous…
“Genesis Market is a complex global criminal access marketplace. Buyers…