Vulnerability Alert

Linux Kernel PERF_EVENT perf_swevent_init() Function Privilege Escalation Vulnerability

 
Threat Type:CWE-119: Buffer Errors
IntelliShield ID:29336
Version:5
First Published:2013 May 15 21:29 GMT
Last Published:2013 May 21 16:51 GMT
Port: Not available
CVE:CVE-2013-2094
BugTraq ID:59846
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Moderate Damage
CVSS Base:6.8 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:5.6
 
Version Summary:Red Hat has released additional security advisories and updated packages to address the Linux Kernel PERF_EVENT perf_swevent_init() function privilege escalation vulnerability.
 
 
Description
A vulnerability in the Performance Events (PERF_EVENT) implementation in the Linux Kernel could allow an authenticated, local attacker to escalate privileges on the targeted system.

The vulnerability is due to insufficient validation of user-supplied index data, due to an integer conversion issue. An attacker could exploit this vulnerability by executing a crafted application on the targeted system. A successful exploit could allow the attacker to execute arbitrary code and completely compromise the targeted system.

Functional code that exploits the vulnerability is publicly available.

Kernel.org has confirmed this vulnerability in the git repository and updated software is available.
 
Warning Indicators
Linux Kernel versions 2.6.37 to 3.8.8 are vulnerable.
 
IntelliShield Analysis
Kernel versions compiled with PERF_EVENTS default options are vulnerable. SELinux in targeted enforcing mode does not mitigate or protect against this vulnerability.

The vulnerability was introduced in the the Linux Kernel with the following commit to the git repository: b0a873eb

The vulnerability was introduced into Red Hat Enterprise Linux 6 and Red Hat MRG with the following Red Hat Security Advisory: RHSA-2011:0542-1

Setting the system paranoia level via sysctl kernel.perf_event_paranoid=2 may provide mitigation against the unmodified, publicly available exploit, however it does not completely mitigate the issue and the system could remain susceptible to exploitation.

Reports indicate that implementing the Trusted Path Execution kernel module mitigates the vulnerability.
 
Vendor Announcements
Kernel.org has released a summary of changes at the following link: Kernel 3.8.9 - Sat Apr 13 22:49:14 2013 +0300

Red Hat has released a CVE statement and security advisories for bug ID 962792 at the following links: CVE-2013-2094, RHSA-2013:0830, RHSA-2013:0832, RHSA-2013:0840RHSA-2013:0841 and RHSA-2013:0829

US-CERT has released a vulnerability note at the following link: VU#774103
 
Impact
A local attacker could exploit this vulnerability to execute arbitrary code and completely compromise the targeted system.
 
Technical Information
The vulnerability is due to insufficient validation of user-supplied index data, due to an integer conversion issue in the PERF_EVENT implementation in the Linux Kernel. The kernel/events/core.c:perf_swevent_init() function of the /kernel/perf_event.c source file uses a u64 formatted integer to access an indexed memory array. Due to this vulnerability, the function could incorrectly treat this integer value as signed and create an effective index value that could allow access to part of the broader 64 bit memory address space.

A local attacker could exploit this vulnerability by executing a crafted program designed to provide a crafted event_id parameter to be used as an index to access the perf_swevent_enabled array. A successful exploit could allow the attacker to overwrite the interrupt vector entry and allow controlled access to user-land memory to elevate privileges and execute arbitrary code, resulting in the complete compromise of the targeted system.
 
Safeguards
Administrators are advised to apply the appropriate updates.

Administrators are advised to review the Red Hat knowledgebase article at the following link for mitigation and detection guidance: Does CVE-2013-2094 affect Red Hat Enterprise Linux and Red Hat Enterprise MRG?

Administrators are advised to allow only trusted users to access local systems.

Administrators are advised to allow only trusted users to have network access.

Administrators are advised to allow only privileged users to access administration or management systems.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators are advised to monitor affected systems.
 
Patches/Software
Kernel.org has released an updated version at the following link: Linux Kernel 3.8.9 or later

CentOS packages can be updated using the up2date or yum command.

Red Hat has released updated software for registered subscribers at the following link: Red Hat Network

Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.
 
Alert History
 

Version 4, May 17, 2013, 7:44 PM: Red Hat has released an additional security advisory and updated packages to address the Linux Kernel PERF_EVENT perf_swevent_init() function privilege escalation vulnerability. US-Cert has also released a security advisory to address the vulnerability.

Version 3, May 17, 2013, 4:30 PM: CentOS has released updated packages to address the Linux Kernel PERF_EVENT perf_swevent_init() function privilege escalation vulnerability.

Version 2, May 16, 2013, 7:33 PM: Red Hat has released an additional security advisory and updated packages to address the Linux Kernel PERF_EVENT perf_swevent_init() function privilege escalation vulnerability.

Version 1, May 15, 2013, 9:29 PM: Linux Kernel contains a vulnerability that could allow a local attacker to escalate privileges on the targeted system. Updates are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Linus TorvaldsLinux Kernel 2.6.37 Base, .1, .2, .3, .4, .5, .6 | 2.6.38 Base, .1, .2, .3, .4, .5, .6, .7, .8 | 2.6.39 Base, .1, .2, .3, .4 | 3.0 Base, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20, .21, .22, .23, .24, .25, .26, .27, .28, .29, .30, .31, .32, .33, .34, .35, .36, .37, .38, .39, .40, .41, .42, .43, .44, .45, .46, .47, .48, .49, .50, .51, .52, .53, .54, .55, .56, .57, .58, .59, .60, .61, .62, .63, .64, .65, .66, .67, .68, .69 | 3.1 Base, .1, .2, .3, .4, .5, .6, .7, .8 | 3.2 Base, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20, .21, .22, .23, .24, .25, .26, .27, .28, .29, .30, .33, .34, .35, .36, .37, .38, .39, .31, .32, .40, .41 | 3.3 Base, .1, .2, .3, .4, .5, .6, .7, .8 | 3.4 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20, .21, .22, .23, .24, .25, .26, .27, .28, .29, .30, .31, .32, .33, .34, .35, .36, .37 | 3.5 .0, .1, .2, .3, .4, .5, .6, .7 | 3.6 .0, .1 | 3.7 .0, .1, .2, .3, .4, .5, .6, .7, .8 | 3.8 .0, .1, .2, .3, .4

Associated Products:
CentOS ProjectCentOS 6 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server AUS 6.2 IA-32, x86_64 | 6.4 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Desktop 6 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux HPC Node 6 x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server 6 IA-32, PPC, PPC 64, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server EUS 6.1.z IA-32, PPC64, s390x, x86_64 | 6.2.z IA-32, PPC64, s390x, x86_64 | 6.3.z IA-32, PPC, PPC64, s390x, x86_64 | 6.4z IA-32, x86_64, PPC, PPC64, s390x
Red Hat, Inc.Red Hat Enterprise Linux Workstation 6 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise MRG for Enterprise Linux 1 x86_64 | 2 x86_64




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield