Linux systems running kernels prior to 5.0.8 require patching after news emerged of a high-severity flaw that could be remotely exploited.
According to the NIST advisory, CVE-2019-11815 is a race condition affecting the kernel’s rds_tcp_kill_sock in net/rds/tcp.c “leading to a use-after-free, related to net namespace cleanup.”
The RDS bit refers to systems running the Reliable Datagram Sockets (RDS) for the TCP module, which means only systems that run applications using this are affected.
The attention-grabbing part is that this opens unpatched systems to remote compromise and denial of service without the need for system privileges or user interaction.
On the other hand, the attack complexity is described as ‘high’, and any such attack would need to be launched from the local network. That explains why it’s been given a CVSS 3.0 impact score of 5.9 with an exploitability score of only 2.2.
We get some clues to the complexity required for exploitation in comments added to Red Hat’s advisory, which states that it requires the attacker to “manipulate socket state while a network namespace is being torn down.” So, not easy then.
Ubuntu’s Seth Arnold added:
I haven’t yet seen evidence to support allegations that this is remotely exploitable. Blacklisting rds.ko module is probably sufficient to prevent the vulnerable code from loading.
Discovered earlier this year, the vulnerability was patched in version 5.0.8, which appeared last month. More information on how this affects individual distributions can be found on advisories issued by Red Hat, Ubuntu, Debian and SUSE.
As with any OS, Linux and its many modules suffer from these issues from time to time. In January, three flaws were found in the contentious system manager SystemD, not helped by the publication of code to exploit them by a company called Capsule8.
More recently CVE-2019-5736 emerged, a flaw in something called runC used by software such as Docker, Kubernetes, cri-o, and containerd.
Ronald Johnson
Good to see the interest in Linux security. As windows value wanes, and people start switching to obscure systems, we will obviously see much more targeting of GNU oriented OS’s. I love Debian, but I’m not sure that even it is prepared for the onslaught of perverse unethical hacking that windows has seen.
Mark Stockley
Linux servers attached the internet are already subject to a continuous onslaught of perverse unethical hacking. Where Windows has malware, Linux on the server has script kiddies with rootkits (and Linux on phones – Android – has a super-sneaky adware problem). Cybercrime is agnostic to operating systems but goals of the attackers and methods they use are tailored to the different ecological niches they occupy.
Joseph Fry
You do realize that linux has outnumbered windows for several years now. If you only count devices that are directly exposed to the internet (web servers, routers, broadband gateways, etc) then its like 100x more linux than windows.
Linux has always had a lot of focus on security. The only reason your confused is that an exploit on linux is relatively rare and is often far scarier because linux is in so many devices that are not subject to any sort of automatic update system. For example, your home router is probably linux based… How often do you, or the vendor, patch it; would you even know a patch existed or that it was even linux based?
Fortunately, such exploits are relatively rare, and often only impact a subset of linux devices (the power of building a custom kernel with a limited set of features)
Thomas
@Ronald Johnson as a senior system admin on Linux, I’ll go ahead and put that notion to bed. Debian and all of the other major distros are all prepared. They’ve been doing this for a while now; longer than Windows has even existed.
ininn
You must be referring to BSD kernel, or some other Unix variant. Anyway, the Linux kernel has been in a perpetual state of patching since it’s conception in ’93. Always has and always will. Microsoft didn’t even start on that concept until the late Nineties. BTW, Linux is not GNU!
George mkd
Yes GNU/Linux
Anonymous
^^ I second that, to say that Linux or other “obscure OS’s” aren’t ready for the unethical hacking community is woefully ignorant. What do you think these unethical hackers are using to do the hacking to begin with? I can guarantee they aren’t using a Windows computer when you have things like Kali.
Dave R
Never say never. It’s a challenge to some people.
Anonymous
Why still use C++ for everything? Either use a subset of C++ in a way that the compiler can 100% exclude those errors or use something like Rust where the compiler does this for all code.
yeah, No (@VoyToy138)
First, the Linux kernel is written in C not C++, and second, if you want to write a work-alike Linux kernel in Rust there’s nobody stopping you, but the answer is that would be a daunting project for anyone and even if you could solve the technical issues, the real work at layer 8 begins to convince people what you are doing is a) superior and b) superior in such a way that rebuilding the billions of systems running Linux now to use this instead is worth the investment in time, money and retraining. GLWT.
Anonymmous
This whole thing has been blown out of proportion. You have to have the module loaded for this to even be an issue. Most likely you don’t have it loaded. #fakenews
SCH
This only becomes an issue if the RDS protocol is using the rds_tcp_kill_sock to kill the session. FreeRDP doesn’t use rds_tcp_kill_sock. You can also use IPTABLES to prevent this exploit with DPI and algo.
TD
The CVE is listed inaccurately in this article. CVE-2019-1181 should be changed to CVE-2019-11815 (hyperlink accurately directs to the latter).
Paul Ducklin
Fixed, thanks!