In its 2017 malware forecast, SophosLabs warned that attackers would increasingly target Linux. Now comes another example of the problem: a Linux vulnerability called Stack Clash that attackers could exploit to corrupt system memory and launch malicious code.
The flaw, discovered by researchers at Qualys, is in the memory management of several operating systems and affects Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64.
Every program that runs on computers uses a memory region called the stack, which grows organically as the program needs more memory. But, as Qualys noted:
If it grows too much and gets too close to another memory region, the program may confuse the stack with the other memory region. An attacker can exploit this confusion to overwrite the stack with the other memory region, or the other way around.
Researchers found that attackers could exploit Stack Clash to literally clash or ram the stack against another memory region. To exploit the flaw, one must first target the primary vulnerability, as outlined in CVE-2017-1000364. But the researchers discovered more vulnerabilities – some secondary, other directly related – that could be used in similar fashion.
Stack clashing is an old technique first exploited in 2005 and then in 2010. After the 2010 exploit, Linux introduced a protection against such exploits called the stack guard-page. Though it has helped, stack clashes remain widespread.
The researchers developed seven exploits and proofs of concept, then worked with the affected vendors on a fix. As a result, Qualys said:
We are releasing this advisory today as a coordinated effort, and patches for all distributions are available June 19, 2017. We strongly recommend that users place a high priority on patching these vulnerabilities immediately.
Lack of consistent patching among Linux users is one of the biggest reasons that attackers are focusing on it more intently. It’s a reminder to all that security updates need to be applied as soon as possible.
David Pottage
I think the last paragraph about IoT devices is for once needless fear mongering for two reasons. Firstly this bug is x86 and AMD64 specific, while most IoT devices use much cheaper ARM or other RISC processors. Secondly, the discussion on the CVE suggests that this bug would be hard to exploit remotely, which is the main risk on IoT devices. (There was a suggestion that the Exim email server might be exploitable, but that is very unlikely to be running on your average consumer router, baby monitor or the like).
So while this is a serious bug, and Linux sys admins need to patch their servers, for once IoT users are no worse off than they where already.
Bill Brenner
Hi, David. Thanks for the comment. You are correct that this particular issue doesn’t affect IoT devices, so I can understand your concerns about fear mongering. FUD was not my goal, however. The reason I mentioned it at the end of the story is because I felt the need to note that Linux is increasingly being targeted to get at such devices; that while this particular flaw isn’t ultimately an IoT issue, attackers will increasingly be targeting Linux for that purpose in the future. The ultimate message I sought to convey is that Linux users need to take patching much more seriously. Stack Crash is one reason why. The increased attempts to target IoS via Linux is another.
That said, I don’t want to leave others with the impression you had, so I’ve removed the final sentence.
Hope that helps, and thanks for keeping us honest!