Severe Linux kernel flaw found in RDS

Linux patch

Linux systems running kernels prior to 5.0.8 require patching after news emerged of a high-severity flaw that could be remotely exploited.

According to the NIST advisory, CVE-2019-11815 is a race condition affecting the kernel’s rds_tcp_kill_sock in net/rds/tcp.c “leading to a use-after-free, related to net namespace cleanup.”

The RDS bit refers to systems running the Reliable Datagram Sockets (RDS) for the TCP module, which means only systems that run applications using this are affected.

The attention-grabbing part is that this opens unpatched systems to remote compromise and denial of service without the need for system privileges or user interaction.

On the other hand, the attack complexity is described as ‘high’, and any such attack would need to be launched from the local network. That explains why it’s been given a CVSS 3.0 impact score of 5.9 with an exploitability score of only 2.2.

We get some clues to the complexity required for exploitation in comments added to Red Hat’s advisory, which states that it requires the attacker to “manipulate socket state while a network namespace is being torn down.” So, not easy then.

Ubuntu’s Seth Arnold added:

I haven’t yet seen evidence to support allegations that this is remotely exploitable. Blacklisting rds.ko module is probably sufficient to prevent the vulnerable code from loading.

Discovered earlier this year, the vulnerability was patched in version 5.0.8, which appeared last month. More information on how this affects individual distributions can be found on advisories issued by Red Hat, Ubuntu, Debian and SUSE.

As with any OS, Linux and its many modules suffer from these issues from time to time. In January, three flaws were found in the contentious system manager SystemD, not helped by the publication of code to exploit them by a company called Capsule8.

More recently CVE-2019-5736 emerged, a flaw in something called runC used by software such as Docker, Kubernetes, cri-o, and containerd.