In its 2017 malware forecast, SophosLabs warned that attackers would increasingly target Linux. Now comes another example of the problem: a Linux vulnerability called Stack Clash that attackers could exploit to corrupt system memory and launch malicious code.
The flaw, discovered by researchers at Qualys, is in the memory management of several operating systems and affects Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64.
Every program that runs on computers uses a memory region called the stack, which grows organically as the program needs more memory. But, as Qualys noted:
If it grows too much and gets too close to another memory region, the program may confuse the stack with the other memory region. An attacker can exploit this confusion to overwrite the stack with the other memory region, or the other way around.
Researchers found that attackers could exploit Stack Clash to literally clash or ram the stack against another memory region. To exploit the flaw, one must first target the primary vulnerability, as outlined in CVE-2017-1000364. But the researchers discovered more vulnerabilities – some secondary, other directly related – that could be used in similar fashion.
Stack clashing is an old technique first exploited in 2005 and then in 2010. After the 2010 exploit, Linux introduced a protection against such exploits called the stack guard-page. Though it has helped, stack clashes remain widespread.
The researchers developed seven exploits and proofs of concept, then worked with the affected vendors on a fix. As a result, Qualys said:
We are releasing this advisory today as a coordinated effort, and patches for all distributions are available June 19, 2017. We strongly recommend that users place a high priority on patching these vulnerabilities immediately.
Lack of consistent patching among Linux users is one of the biggest reasons that attackers are focusing on it more intently. It’s a reminder to all that security updates need to be applied as soon as possible.