Old Linux kernel security bug bites

A Linux developer discovered a serious security hole that's been hiding for years in an out-of-date driver.

OK, hands up, who knows what High-Level Data Link Control (HDLC) is? It's an archaic networking data framing protocol that's used in modems, X.25, frame-relay, ISDN, and other now uncommon networking technologies. I know it because I used to work with them back in the day. You'll get to know it now because a researcher discovered a security hole hidden within the Linux kernel driver that implements it.

Linux processes

An obsolete Linux driver bears within it a nasty security hole.

Alexander Popov, a young and rising Linux developer at Russia's Positive Technologies, found and fixed the flaw. The bug had been living in the Linux kernel since June 2009.

Specifically, Popov discovered a race condition flaw in the n_hdlc driver (drivers/tty/n_hdlc.c) in the Linux kernel through 4.10.1 (CVE-2017-2636). This is part of the TTY/Serial driver development tree. A local, unprivileged user can use this hole to gain higher privileges on a vulnerable system or cause a denial-of-service attack.

The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 7.8, which gives it a High rating, just below critical. Exploiting this flaw is relatively easy and doesn't require specialized hardware or peripherals to be attacked in the targeted system.

What all this adds up to you is you should patch for this problem as soon as possible. The fix is ready in the mainline kernel and it's being deployed to most Linux distributions.

Red Hat reports that the issue impacts the Linux kernel packages shipped with Red Hat Enterprise Linux (RHEL) 6, 7, and Red Hat Enterprise MRG 2, Red Hat's real-time Linux. Red Hat will soon release updates for its operating systems.

Canonical, Ubuntu's parent company, has released patches for most of its versions. SUSE is still working on its patches, but they're expected to be out shortly.

Now, you might wonder, "Why the heck do I have to worry about a modem driver in 2017!" Well, it's like this. Although it's almost never used, its module is included with most shipping Linux kernels. It is not normally loaded, but as Popov explained in a later note, "The module is automatically loaded if an unprivileged user opens a pseudoterminal and calls TIOCSETD ioctl for it setting N_HDLC line discipline."

Now, that may sound complicated, but it's not. It's easy to do, which means it's easy for a local user to exploit. Before poo-pooing this as a non-issue, keep in mind that with hosted and cloud computing, many people have "local" access to Linux servers.

To see if the module is on your system run this command:

# modinfo n_hdlc

If this command doesn't find the module, you need not worry about this problem. But, if it does, then check to see it's in use with the following command:

# lsmod | grep n_hdlc

Unless you're running an odd network configuration, it shouldn't be loaded. And you'll get an error message saying the module or filename is missing. If has been loaded, odds are someone is hacking your system.

Now, if your distribution doesn't have a patch yet, you can stop this problem from ever erupting by blocking this module from being loaded. You do this by manually preventing the kernel from being loaded. You fix this by modifying your system-wide modprobe rules by running the following command as root:

# echo "install n_hdlc /bin/true" >> /etc/modprobe.d/disable-n_hdlc.conf

If the module has already been loaded, reboot the system and it won't load again. According to Red Hat, this is a robust method that will prevent accidental loading of the module, even by privileged users.

Related Stories:

Editorial standards