Permissions, Privileges, and Access Controls in Linux kernel

#VU28290 Permissions, Privileges, and Access Controls in Linux kernel

Published: 2020-05-27

Vulnerability identifier: #VU28290

Vulnerability risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10751

CWE-ID: CWE-264

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due in the Linux kernels SELinux LSM hook implementation where the kernel incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Linux kernel: 5.6 - 5.6.14, 5.4 - 5.4.42, 5.5 - 5.5.19, 5.3 - 5.3.18, 5.2 - 5.2.21, 5.1 - 5.1.21, 5.0 - 5.0.21, 4.19 - 4.19.124, 4.14 - 4.14.181, 4.9 - 4.9.224, 4.4 - 4.4.224, 4.0 - 4.0.9, 4.20 - 4.20.17, 4.15 - 4.15.18, 4.18 - 4.18.20, 4.17 - 4.17.19, 4.16 - 4.16.18, 4.1 - 4.1.52, 4.13 - 4.13.16, 4.12 - 4.12.14, 4.11 - 4.11.12, 4.10 - 4.10.17, 4.8 - 4.8.17, 4.7 - 4.7.10, 4.6 - 4.6.7, 4.5 - 4.5.7, 4.2 - 4.2.8, 4.3 - 4.3.6, 3.16 - 3.16.58, 3.18 - 3.18.140, 3.9 - 3.9.11, 3.8 - 3.8.13, 3.3 - 3.3.8, 3.13 - 3.13.11, 3.10 - 3.10.107, 3.19 - 3.19.8, 3.17 - 3.17.8, 3.15 - 3.15.10, 3.14 - 3.14.79, 3.12 - 3.12.74, 3.11 - 3.11.10, 3.7 - 3.7.10, 3.6 - 3.6.11, 3.5 - 3.5.7, 3.4 - 3.4.113, 3.2 - 3.2.93, 3.0 - 3.0.101, 3.1 - 3.1.10, 2.6.12 - 2.6.39.4

External links
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10751
http://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fb73974172ffaaf57a7c42f35424d9aece1a5af6
http://lore.kernel.org/selinux/CACT4Y+b8HiV6KFuAPysZD=5hmyO4QisgxCKi4DHU3CfMPSP=yg@mail.gmail.com/
http://www.openwall.com/lists/oss-security/2020/04/30/5

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security restrictions bypass in SELinux netlink