Bug 1730895 (CVE-2019-13272) - CVE-2019-13272 kernel: broken permission and object lifetime handling for PTRACE_TRACEME
Summary: CVE-2019-13272 kernel: broken permission and object lifetime handling for PTR...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-13272
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1730897 Engineering1730956 Engineering1730957 Engineering1730958 Engineering1730959 Engineering1730960 Red Hat1731005
Blocks: Embargoed1730901
TreeView+ depends on / blocked
 
Reported: 2019-07-17 20:06 UTC by Laura Pardo
Modified: 2021-10-07 10:31 UTC (History)
62 users (show)

Fixed In Version: kernel 5.1.17
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way PTRACE_TRACEME functionality was handled in the Linux kernel. The kernel's implementation of ptrace can inadvertently grant elevated permissions to an attacker who can then abuse the relationship between the tracer and the process being traced. This flaw could allow a local, unprivileged user to increase their privileges on the system or cause a denial of service.
Clone Of:
Environment:
Last Closed: 2019-08-07 13:18:23 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2685 0 None None None 2019-09-09 13:25:33 UTC
Red Hat Product Errata RHSA-2019:2405 0 None None None 2019-08-07 12:57:48 UTC
Red Hat Product Errata RHSA-2019:2411 0 None None None 2019-08-07 15:18:37 UTC
Red Hat Product Errata RHSA-2019:2809 0 None None None 2019-09-20 11:54:33 UTC

Description Laura Pardo 2019-07-17 20:06:24 UTC 
A flaw in the kernels implementation of ptrace which could inadvertantly grant elevated permissions to an attacker who could abuse the relationship between tracer and the process being traced.

The mechanism used to link the process requesting the ptrace and the process being ptraced could allow a local user to obtain root level priviledges by creating an opportunity to abuse the frequently used pattern of dropping privileges and then execve a child with reduced privileges/permissions.


References:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.1.17
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6994eefb0053799d2e07cd140df6c2ea106c41ee
https://github.com/torvalds/linux/commit/6994eefb0053799d2e07cd140df6c2ea106c41ee
Comment 1 Laura Pardo 2019-07-17 20:12:32 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1730897]
Comment 6 Wade Mealing 2019-07-18 03:51:57 UTC 
This flaw is rated as Important.  The attack vector is available by default  in the affected installations and the selinux boolean to deny ptrace is not defaultly enabled
Comment 9 Petr Matousek 2019-07-18 18:04:10 UTC 
Statement:

Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the Red Hat Knowledgebase article:  https://access.redhat.com/articles/4292201
Comment 10 Petr Matousek 2019-07-18 18:04:14 UTC 
Mitigation:

For mitigation, please refer to the Red Hat Knowledgebase article:  https://access.redhat.com/articles/4292201
Comment 13 errata-xmlrpc 2019-08-07 12:57:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2405 https://access.redhat.com/errata/RHSA-2019:2405
Comment 14 Product Security DevOps Team 2019-08-07 13:18:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-13272
Comment 15 errata-xmlrpc 2019-08-07 15:18:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2411 https://access.redhat.com/errata/RHSA-2019:2411
Comment 17 Sam Fowler 2019-08-16 01:40:37 UTC 
This issue has been addressed in the following products:

  OpenShift Container Platform 4

Via RHBA-2019:2417 https://access.redhat.com/errata/RHBA-2019:2417
Comment 22 errata-xmlrpc 2019-09-20 11:54:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2809 https://access.redhat.com/errata/RHSA-2019:2809
Comment 23 Sam Fowler 2020-05-18 06:38:03 UTC 
OpenShift Container Platform 4 does not ship its own kernel package, instead using versions shipped in RHEL. Removing from flaw bug affects.
Note You need to log in before you can comment on or make changes to this bug.