The Stack Clash vulnerability in Linux, Solaris and BSD-based systems would let attackers gain root privileges and take full control of the machine, Qualys researchers warned Monday. Hosting providers and administrators of shared environments need to pay particular attention to this flaw since one compromised user can result in all other users on the same server being compromised.
Stack Clash refers to a set of escalation privileges vulnerabilities (CVE-2017-1000364, CVE-2017-1000365 and CVE-2017-1000367, to name a few) affecting the application stack, a memory region that holds short-term data for applications which automatically grows as needed. When the application’s stack grows too large, it can get too close to the heap, the memory region that holds information such as the files being viewed and edited. Attackers can take advantage of the proximity of the two to confuse the application into overwriting parts of the stack and the heap. Doing so hijacks the flow of execution within the application.
“Our exploit grows the stack out, jumping past protections and getting into areas of memory where we should not be able to get code to execute,” said Jimmy Graham, director of product management at Qualys.
The attacker gains the privileges of the hijacked program. These aren’t just any run-of-the-mill applications, either. These are trusted, system-level programs such as sudo on Linux distributions such as Debian, Ubuntu, and CentOS; ld.so and SUID-root binaries on Debian, Ubuntu, Fedora, and CentOS; and rsh on Solaris. If the program has root privileges, the attacker takes over the whole system as an administrator. “This is a fairly straightforward way to get root after you’ve gotten user-level access,” Graham said.
The vulnerability is present in Unix-based systems on i386 and amd64 architectures. Affected Linux distributions include Red Hat, Debian, Ubuntu, SUSE, CentOS and Gentoo. Solaris is owned by Oracle. FreeBSD, OpenBSD and NetBSD are also impacted. Qualys has been working with distributions and vendors since May to get the vulnerabilities fixed, and the updates are just beginning to be released. Administrators need to act promptly to update affected machines with the security updates.
Prompt attention is necessary, especially since Unix-based systems are predominantly used in server environments. Qualys didn’t research Microsoft or Apple products, and Graham could not say what kind of effect this kind of vulnerability may have on those systems.
Systems that must comply with specific regulations or contain critical data should take priority. Hosted providers and administrators managing shared environments need to make sure their systems are updated. If the user has shell access to the server, as is typical in multi-tenancy environments, then attackers can compromise that user and use Stack Clash to hijack applications running in that userspace. At that point, the attackers can jump to other userspaces in that shared environment.
Sign up for Computerworld eNewsletters.