News

Palo Alto Networks researcher discovers Linux privilege escalation vulnerability

A privilege escalation vulnerability had been lurking in the Linux kernel all this time until being discovered by a Palo Alto Networks researcher last week.

Assigned CVE-2020-14386, the memory corruption flaw can be exploited by a standard user to gain extended permissions as an administrator (root) on Linux systems.

“A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity,” reads the vulnerability’s official NVD description.

Or Cohen of Palo Alto Networks has been credited with discovering the vulnerability.

In a blog post for the company’s Unit42 blog, Cohen stated:

“Specifically, in order for the vulnerability to be triggerable, we need the kernel to have AF_PACKET sockets enabled (CONFIG_PACKET=y) and the CAP_NET_RAW privilege for the triggering process, which can be obtained in an unprivileged user namespace if user namespaces are enabled (`CONFIG_USER_NS=y`) and accessible to unprivileged users.”

“Surprisingly, this long list of constraints is satisfied by default in some distributions, like Ubuntu,” continued Cohen.

According to Cohen, similar vulnerabilities have been reported in the past:

“A few years ago, several vulnerabilities were discovered in packet sockets (CVE-2017-7308 and CVE-2016-8655), and there are some publications, such as this one in the Project Zero blog and this in Openwall, which give some overview of the main functionality,” he said in the post.

However, the fixes previously applied by the project developers did not sufficiently resolve the memory corruption vulnerabilities, which is why Cohen was able to provide a Proof-of-Concept (PoC) exploit to demonstrate the flaw persisted.

A patch proposed by the researcher can be used to resolve the bug:

Patch proposed by Cohen to resolve CVE-2020-14386
Source: Palo Alto Networks

“I was surprised that such simple arithmetic security issues still exist in the Linux kernel and haven’t been previously discovered,” said Cohen.

“Also, unprivileged user namespaces expose a huge attack surface for local privilege escalation, so distributions should consider whether they should enable them or not,” the researcher concluded.

Cohen’s thorough technical findings are provided in the blog post.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.