Researchers Reveal New Linux Kernel ‘StackRot’ Privilege Escalation Vulnerability
Details have emerged about a newly identified security flaw in the Linux kernel that could allow users to gain elevated privileges on target hosts.
nicknamed StackRot (CVE-2023-3269, CVSS score: 7.8), the flaw affects Linux versions 6.1 to 6.4. There is no evidence that the deficiency has been exploited in the wild to date.
“Because StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal ability to trigger it,” Peking University security researcher Ruihan Li said.
“However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory delocation until after the RCU grace period. As a result, exploiting this vulnerability has been deemed challenging.”
Follow responsible disclosure on June 15, 2023, has addressed in stable versions 6.1.37, 6.3.11, and 6.4.1 as of July 1, 2023, after a two-week effort led by Linus Torvalds.
A proof-of-concept (PoC) exploit and additional technical specifications about the bug are expected to be published by the end of the month.
The flaw is basically rooted in a data structure called maple treeWhich introduced in Linux kernel 6.1 as a replacement for a red-black tree (rbtree) to manage and store virtual memory areas (VMA), contiguous virtual address ranges that can be the contents of files on disk or the memory used by programs during execution.
🔐 Privileged Access Management: Learn How to Beat Key Challenges
Discover different approaches to conquering Privileged Account Management (PAM) challenges and enhance your privileged access security strategy.
Specifically, it is described as a use-after-free bug which can be exploited by local users to compromise the kernel and elevate their privileges by taking advantage of the fact that maple trees “can suffer node replacement without properly obtaining the MM write lock.”
“By the way, I thought I’d like to actually move all the stack expansion code to it’s own new file, rather than splitting it up between mm/mmap.c and mm/memory.c, but since this had to be backported to maple tree VMA’s initial introduction , I try to keep patches _reasonably_ minimal,” said Torvalds.
