Linux, BSD and Solaris are all affected by memory management bugs that could allow attackers to execute malicious code
Researchers have warned of a serious security bug in Unix-like operating systems that could allow an attacker with low-level access to a system to take it over and execute arbitrary code.
The vulnerability, named “Stack Clash” by computer security firm Qualys, affects Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on both Intel’s i386 and AMD’s amd64 hardware platforms.
Local privilege escalation
Qualys, which discovered the flaw, said other, similar operating systems, such as Google’s Linux-based Android or Apple’s Unix-based macOS, may also be vulnerable, but hadn’t been tested.
It’s also possible the bug could be exploited remotely, but Qualys said it only tested a single remote application, which turned out not to be exploitable.
“The exploits and proofs of concept that we developed in the course of our research are all local privilege escalations: an attacker who has any kind of access to an affected system can exploit the Stack Clash vulnerability and obtain full root privileges,” Qualys said in its advisory.
The bug affects a computer’s memory region known as a stack, which is used by running applications and grows or shrinks as needed. If it grows enough the stack can approach another memory region in such a way that the program confuses that region with the stack, something that can be exploited by attackers to manipulate other memory regions.
The idea of “clashing” the stack with another memory region was exploited in 2005 and again in 2010, after which Linux introduced a protection called the stack guard-page.
But Qualys said its research now shows this protection is easily circumvented. The company said it has developed seven exploits and seven proofs of concept, but isn’t releasing them publicly until users have had time to apply patches.
Qualys said it has been working with the developers of FreeBSD, NetBSD, OpenBSD, Solaris and Linux distributions including Red Hat, SuSE, Debian and Ubuntu on patches for the operating systems since the beginning of May, and that fixes are now available.
“We strongly recommend that users place a high priority on patching these vulnerabilities immediately,” Qualys wrote.
The company said those who are unable to or don’t wish to patch their servers right away can set hard limits on the stack size.
But this workaround isn’t ideal, since such limits might not be low enough to resist all attacks and might break legitimate applications, Qualys warned.
Do you know all about security in 2017? Try our quiz!