According to a report by CrowdStrike, the biggest Linux-based malware families were really about system administration security blunders with telnet, SSH, and Docker, not Linux at all which does not exclude that Linux is perfect.
Despite this, a new nasty Linux kernel problem has just appeared. There’s a heap overflow bug in the legacy_parse_param in the Linux kernel’s fs/fs_context.c program. This parameter is used in Linux filesystems during superblock creation for mount and superblock reconfiguration for a remount. The superblock records all of a filesystem’s characteristics such as file size, block size, empty and filled storage blocks. So, yeah, it’s important.
The legacy_parse_param() “PAGE_SIZE – 2 – size” calculation was mistakenly made an unsigned type. This means a large value of “size” results in a high positive value instead of a negative value as expected.
How bad is this?
The Common Vulnerability Scoring System (CVSS) v3.1 scoring test says it’s a solid 7.7 – a considered high-security vulnerability. In fact, an attacker can use it to escalate their user privileges or crash the system via a special crafted program that triggers this integer overflow which gives the attacker root privileges.
To exploit it requires the CAP_SYS_ADMIN privilege to be enabled. An unprivileged local user can open a filesystem that does not support the File System Context application programming interface (API). In this situation, it drops back to legacy handling, and from there, the flaw can escalate an attacker’s system privileges.
You can disable security hole by disabling user namespaces by setting user.max_user_namespaces to with the following shell code on the Red Hat Linux family.
- echo “user.max_user_namespaces=0” > /etc/sysctl.d/userns.conf
- sysctl -p /etc/sysctl.d/userns.conf
On Ubuntu and related distros, you can protect your system with this shellcode:
- sysctl -w kernel.unprivileged_userns_clone=0
However,remember that you must have namespace available on containerized Linux distros, such as Red Hat OpenShift Container Platform since it needs this functionality enabled.