Skip to end of metadata
Go to start of metadata

Alerts

No Alerts at this time.

E-mail: security@lbl.gov

Linux Local Privilege Escalation

Details of a critical Linux local privilege escalation vulnerability were reported on May 14, 2013.

This zero-day vulnerability appears to affect multiple flavors of Linux (RedHat/CentOS, Ubuntu, Debian, and others) and exploit code has already been publicly released and confirmed. This vulnerability requires a local shell account and allows attackers to quickly escalate their privileges to root access.

Updates:

5/16/13 am

Fixes for RHEL 6 and Ubuntu 12.04 have been released, please see the links below.

Affected kernels:

Linux kernel versions 2.6.32 - 3.8.8 appear to be affected.

Red Hat Enterprise Linux 6 up to kernel-2.6.32-358.6.1.el6, x86_64 is affected

Red Hat Enterprise Linux 5 did not have the backport applied that introduced this vulnerability and does not appear to be affected.

It has been stated that though 32-bit kernels are not exploitable using the current proof of concept code, they are still vulnerable.

Please note that SELinux features *DO NOT* mitigate this vulnerability.

Distribution details and patches:

Red Hat:  

https://access.redhat.com/site/solutions/373743

Ubuntu:

http://www.ubuntu.com/usn/usn-1825-1/

A temporary patched kernel from Centos:

http://people.centos.org/hughesjr/c6kernel/2.6.32-358.6.1.el6.cve20132094/ 

 

Temporary mitigation:

The command:  sysctl kernel.perf_event_paranoid=2

can be used for temporary mitigation of the currently published exploit, but see below:

> Can you confirm that : > sysctl kernel.perf_event_paranoid=2 > > is a good enough solution for our users in short term ?

Our testing shows that this is not sufficient to avoid the issue in general, but it is currently sufficient mitigation against the publicly available (unmodified) exploits. Best regards, -- Petr Matousek / Red Hat Security Response Team

Further information:

CVE-2013-2094 has been assigned for this vulnerability:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2094

Please see the following thread for detailed information:

https://bugzilla.redhat.com/show_bug.cgi?id=962792

What you should do:

  • Verify if your particular workstation or server OS versions are vulnerable to this attack

  • Monitor the NIST page and vendor sites for forthcoming patches

  • If possible, take the opportunity to audit your users and delete any temporary, unused or defunct accounts.

  • Make sure that your systems are sending their logs to our central syslog server (https://commons.lbl.gov/x/aol1B)

  • Contact security@lbl.gov if you notice any unusual behavior on your systems