Two new vulnerabilities affecting Linux were uncovered this week. These vulnerabilities could potentially allow malicious hackers to gain root privileges.
CVE-2010-3904: Reliable Datagram Sockets (RDS) Protocol Vulnerability
The first vulnerability, reported on Tuesday by security firm VSR, arises from a flaw in the implementation of the Reliable Datagram Sockets (RDS) protocol in versions 2.6.30 through 2.6.36-rc8 of the Linux kernel. Known as CVE-2010-3904, this bug could allow a local attacker to issue specially crafted socket function calls. This would enable the attacker to write arbitrary values into kernel memory, thereby escalating their privileges to root and gaining "superuser" status.
The problem exists only in Linux installations where the CONFIG_RDS kernel configuration option is set and there are no restrictions preventing unprivileged users from loading packet family modules. This is the case for most stock distributions, as VSR notes.
A proof-of-concept exploit created by VSR demonstrates the severity of the vulnerability. Heise Security tested the exploit on 64-bit Ubuntu 10.04 and was able to open a root shell, according to The H.
A patch has already been committed to the Linux kernel, and distributions should soon be updated accordingly. VSR advises users to install any updates to their Linux distribution or apply the committed patch and recompile their kernel. Alternatively, preventing the RDS kernel module from loading is also an effective workaround. This can be achieved by executing the following command as root:
echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds
CVE-2010-3847: GNU C Library Loader Vulnerability
The second vulnerability, dubbed CVE-2010-3847, derives from a flaw in the library loader of the GNU C library. This can be exploited to gain root privileges under Linux and other systems. An attacker could gain full control of a system by escalating privileges after breaking into a web server with restricted access rights.
Discovered and announced by Tavis Ormandy on Monday, the bug was found to exist in Red Hat Enterprise Linux (RHEL) 5 and CentOS 5, among other distributions. Patches are currently in the works. However, Ormandy noted that "this is a low-impact vulnerability that is only of interest to security professionals and system administrators. End users do not need to be concerned."
In tests by Heise Security, a 64-bit installation of Ubuntu 10.04 appeared unaffected, as reported by The H.