A flaw in the load_elf_binary() function in the Linux kernel allows a local attacker to leak the base address of .text and stack sections for setuid binaries and thus to bypass ASLR because install_exec_creds() is called too late in this function. References: https://seclists.org/oss-sec/2019/q2/9 https://www.openwall.com/lists/oss-security/2019/04/03/4 An upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9f834ec18defc369d73ccf9e87a2790bfa05bf46
Notes: In our research we was not able to reproduce the issue with the standard RHEL-7 kernel, but only with modified kernel with specially inserted delay, which widens a race window. This means the race condition still exists, i.e. the system is still vulnerable, but it is hard to hit it.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1016 https://access.redhat.com/errata/RHSA-2020:1016
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1070 https://access.redhat.com/errata/RHSA-2020:1070
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11190