Red Hat Bugzilla – Bug 663542
CVE-2010-4347 kernel: local privilege escalation via /sys/kernel/debug/acpi/custom_method
Last modified: 2015-07-31 02:35:21 EDT
Reported by Dave Jones, currently we have:
--w--w--w-. 1 root root 0 2010-11-11 14:56 /sys/kernel/debug/acpi/custom_method
which is just crazy. Change this to --w-------.
This custom_method file allows to inject custom ACPI methods into the ACPI interpreter tables. This control file was introduced with world writeable permissions in Linux Kernel 2.6.33.
This issue did not affect the version of Linux kernel as shipped with Red Hat
Enterprise Linux 4, 5, and 6 as they did not include upstream commit a1a541d8 and a25ee920 that introduced the problem. This has been addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0330.html.
This requires debugfs to be mounted on a local system in order to have access to the custom_method file. Debugfs is not mounted by default. You need to run "mount -t debugfs nodev /sys/kernel/debug" as root first.
This issue has been addressed in following products:
MRG for RHEL-5
Via RHSA-2011:0330 https://rhn.redhat.com/errata/RHSA-2011-0330.html