Bug 1730895 (CVE-2019-13272) - CVE-2019-13272 kernel: broken permission and object lifetime handling for PTRACE_TRACEME
Summary: CVE-2019-13272 kernel: broken permission and object lifetime handling for PTR...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-13272
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1730957 1730959 1730897 1730956 1730958 1730960 1731005
Blocks: 1730901
TreeView+ depends on / blocked
 
Reported: 2019-07-17 20:06 UTC by Laura Pardo
Modified: 2019-09-29 15:17 UTC (History)
65 users (show)

Fixed In Version: kernel 5.1.17
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way PTRACE_TRACEME functionality was handled in the Linux kernel. The kernel's implementation of ptrace can inadvertently grant elevated permissions to an attacker who can then abuse the relationship between the tracer and the process being traced. This flaw could allow a local, unprivileged user to increase their privileges on the system or cause a denial of service.
Clone Of:
Environment:
Last Closed: 2019-08-07 13:18:23 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2685 None None None 2019-09-09 13:25:33 UTC
Red Hat Product Errata RHSA-2019:2405 None None None 2019-08-07 12:57:48 UTC
Red Hat Product Errata RHSA-2019:2411 None None None 2019-08-07 15:18:37 UTC
Red Hat Product Errata RHSA-2019:2809 None None None 2019-09-20 11:54:33 UTC

Description Laura Pardo 2019-07-17 20:06:24 UTC
A flaw in the kernels implementation of ptrace which could inadvertantly grant elevated permissions to an attacker who could abuse the relationship between tracer and the process being traced.

The mechanism used to link the process requesting the ptrace and the process being ptraced could allow a local user to obtain root level priviledges by creating an opportunity to abuse the frequently used pattern of dropping privileges and then execve a child with reduced privileges/permissions.


References:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.1.17
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6994eefb0053799d2e07cd140df6c2ea106c41ee
https://github.com/torvalds/linux/commit/6994eefb0053799d2e07cd140df6c2ea106c41ee

Comment 1 Laura Pardo 2019-07-17 20:12:32 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1730897]

Comment 2 Wade Mealing 2019-07-18 02:09:23 UTC
Running the reproducer against the following releases provided basic results:

Red Hat Enterprise Linux 8 -     Affected
Red Hat Enterprise Linux 7-alt - Did not reproduce
Red Hat Enterprise Linux 7 -     Did not reproduce
Red Hat Enterprise Linux 6 -     Did not reproduce
Red Hat Enterprise Linux 5 -     Did not reproduce


Mitigation:

The reproducer example shown in google project zero's example was able to be mitigated by enabling selinux boolean to disable ptrace. 

This requires SELinux to be enabled AND the following boolean to be set (not by default).

The selinux boolean setting which can  deny_ptrace will deny all processes, even those that are running in unconfined_t domains, from being able to use ptrace() on other processes.

The deny_ptrace Boolean is disabled by default. To enable it, run the setsebool -P deny_ptrace on command as the root user:

~]# setsebool -P deny_ptrace on

 To verify if this Boolean is enabled, use the following command:

~]$ getsebool deny_ptrace
deny_ptrace --> on

The setsebool -P command makes persistent changes. Do not use the -P option if you do not want changes to persist across reboots.

** Note: that disabling ptrace will also affect SOME userspace utilities like gdb and strace from working correctly.  This selinux boolean can be disabled to allow these tools to work when the kernel has been updated with the setsetbool command.

Comment 6 Wade Mealing 2019-07-18 03:51:57 UTC
This flaw is rated as Important.  The attack vector is available by default  in the affected installations and the selinux boolean to deny ptrace is not defaultly enabled

Comment 9 Petr Matousek 2019-07-18 18:04:10 UTC
Statement:

Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the Red Hat Knowledgebase article:  https://access.redhat.com/articles/4292201

Comment 10 Petr Matousek 2019-07-18 18:04:14 UTC
Mitigation:

For mitigation, please refer to the Red Hat Knowledgebase article:  https://access.redhat.com/articles/4292201

Comment 13 errata-xmlrpc 2019-08-07 12:57:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2405 https://access.redhat.com/errata/RHSA-2019:2405

Comment 14 Product Security DevOps Team 2019-08-07 13:18:23 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-13272

Comment 15 errata-xmlrpc 2019-08-07 15:18:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2411 https://access.redhat.com/errata/RHSA-2019:2411

Comment 17 Sam Fowler 2019-08-16 01:40:37 UTC
This issue has been addressed in the following products:

  OpenShift Container Platform 4

Via RHBA-2019:2417 https://access.redhat.com/errata/RHBA-2019:2417

Comment 22 errata-xmlrpc 2019-09-20 11:54:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2809 https://access.redhat.com/errata/RHSA-2019:2809


Note You need to log in before you can comment on or make changes to this bug.