Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

5 things you need to know about Stack Clash to secure your shared Linux environment

Fahmida Y. Rashid | June 21, 2017
Attackers can locally exploit the privilege escalation vulnerability to gain root access over Linux, Solaris and BSD machines. This is bad news for Unix-based servers, and even more so for multi-tenant environments.

Rebuilding and reinstalling the dynamic library ld.so and recompiling all programs using gcc's -fstack-check option would prevent the stack pointer from moving into other memory regions. This will require all the programs to be recompiled -- an expensive endeavor to be sure, but it would prevent Stack Clash completely.

 

Randomize memory to make attacks more time-consuming

The proofs of concept by Qualys followed four sequential steps, which include: clashing the stack with another memory region, running the stack pointer to the start of the stack, jumping over the stack guard-page, and writing to the memory region to smash the stack or other memory region. In the last step, to write to the memory region, Qualys was able to brute-force ASLR (Address Space Layout Randomization) because it used only 8-bits of entropy.

Stack Clash works because it relies on predictable details of target systems, such as where data is stored, and how code will behave, says Gounares. When the details are in expected places or can be easily guessed, attackers can just brute-force the information they need to know. The Qualys exploit took just five hours to brute-force ASLR by running through all possible combinations, for example.

“If the attacker doesn’t know and can’t guess details of their target victims, attacks like Stack Clash become impractical—even if the underlying bugs they exploit still exist,” Gounares says.

Everyone will need to update their servers to address Stack Clash, and considering the kind of damage possible, everyone should do it soon before the wave of attacks start knocking over the vulnerable systems.

 

Previous Page  1  2  3  4 

Sign up for Computerworld eNewsletters.