ITSS Information Security Services

On this page:
Summary
Technical Details
Countermeasures
References

Summary

UPDATE: As of 26 February 2004, at least three independent exploits for mremap() vulnerabilities are in circulation. We have evidence of these attacks being used at Stanford to compromise machines. Please update your kernel promptly!

A new release of the Linux kernel fixes a memory management problem in the kernel [1-4]. All users of SULinux, RedHat and Debian are strongly encouraged to update their software quickly to avoid system compromise.

For SULinux 9, su to root, and type

apt-get update
apt-get install kernel#2.4.20-30.9

Reboot your machine, and be sure it comes up gracefully. Once you've tested the new kernel, run

apt-get remove kernel#2.4.20-28.9

to remove the old kernel.

Note: the minor kernel number may vary in the final command. To determine your kernel version, type uname -r at the command line:

test-machine:~> uname -r
2.4.20-28.9smp

For SMP kernels:

apt-get update
apt-get install kernel-smp#2.4.20-30.9

Reboot your machine, and be sure it comes up gracefully. Once you've tested the new kernel, run

apt-get remove kernel-smp#2.4.20-28.9

For SULinux 7.2/7.3:

apt-get update
apt-get install kernel#2.4.20-30.7
(reboot/test)
apt-get remove kernel#2.4.20-28.7

7.2 machines using grub as their boot loader (the default) require no further changes. If you've switched to the /etc/lilo.conf boot loader, be sure you edit /etc/lilo.conf to point to the new kernel, and run the command /sbin/lilo to finalize the changes.

For SULinux 8.0:

apt-get update
apt-get install kernel#2.4.20-30.8.legacy
(reboot/test)
apt-get remove kernel#2.4.20-28.8

Again, for smp kernels you'd use "kernel-smp" as above.

Finally, it may be necessary for 8.0 users to add "@i686" or the like (athlon, i386, etc) as to the end of each kernel version in the above apt statements. Remember, SULinux 8.0 is no longer fully supported and we definitely suggest moving up to 9 if you use 8.0!

Linux uses virtual memory area descriptors (hereafter VMAs) to manage user addressable memory locations for processes. VMAs include the starting address of valid memory regions, the size of the region, and flags like page protection. The mremap() system call allows the kernel to modify the size and location of user addressable memory. mremap() uses another system call, do_munmap(), to remove existing old memory maps in the new location, but it fails to validate the return value of do_munmap(). This may allow an attacker to achieve root privileges on an unpatched system, or to disrupt the kernel sufficiently that the system becomes unusable.

Two distinct errors in the mremap system call have been disclosed since January [1,2]. The latest Linux kernel version contains fixes for both problems.

At least three exploits for the first do_mremap() vulnerability are available on the Internet. Proof of concept code for the second vulnerability was provided to the operating system developers when it was reported, and according to the author will be made public in the near future.

There are no workarounds available to prevent this attack from succeeding. System administrators on multi-user machines should be particularly careful of local privilege escalation attacks, but all Linux users are strongly encouraged to update their kernels immediately.

[1] Linux kernel do_mremap VMA limit local privilege escalation vulnerability

[2] Linux kernel do_mremap() local privilege escalation

[3] Updated kernel packages resolve security vulnerabilities

[4] DSA-438-1 linux-kernel-2.4.18-alpha+i386+powerpc -- missing function return value check