Linux kernel perf_swevent_enabled array out-of-bound access privilege escalation vulnerability

Overview

The Linux kernel’s Performance Events implementation is susceptible to an out-of-bounds array vulnerability that may be used by a local unprivileged user to escalate privileges.

Description

The Linux kernel’s Performance Events implementation is susceptible to an out-of-bounds array vulnerability that may be used by a local unprivileged user to escalate privileges. Additional analysis of the vulnerability may be found in the Red Hat bug report. A public exploit is available that has been reported to work against some Linux distributions.

---

Impact

A local authenticated user may be able to exploit this vulnerability to escalate privileges.

---

Solution

Apply an Update

Red Hat, Debian, CentOS, and Ubuntu have all released patches. Users should receive the patches through their Linux distributions’ normal update process.

Affected Distributions

* Red Hat Enterprise Linux 6 & Red Hat Enterprise MRG 2
* CentOS 6
* Debian 7.0 (Wheezy)
* Ubuntu 12.04 LTS, 12.10, 13.04

Other distributions may be affected but were not confirmed at the time of publication.

If you are unable to upgrade, please consider the following workaround.

Red Hat has provided mitigation advice in Red Hat Knowledge Solution 373743.

---

Vendor Information

774103

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

CentOS Affected

Updated: May 17, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://lists.centos.org/pipermail/centos-announce/2013-May/019729.html&gt;
• <http://lists.centos.org/pipermail/centos-announce/2013-May/019733.html&gt;

Debian GNU/Linux Affected

Updated: May 17, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://www.debian.org/security/2013/dsa-2669&gt;

Red Hat, Inc. Affected

Updated: May 17, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://bugzilla.redhat.com/show_bug.cgi?id=962792&gt;
• <https://rhn.redhat.com/errata/RHSA-2013-0830.html&gt;

Ubuntu Affected

Updated: May 17, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://www.ubuntu.com/usn/usn-1825-1/&gt;
• <http://www.ubuntu.com/usn/usn-1826-1/&gt;
• <http://www.ubuntu.com/usn/usn-1827-1/&gt;
• <http://www.ubuntu.com/usn/usn-1828-1/&gt;

Fedora Project Unknown

Updated: May 17, 2013

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Unknown

Updated: May 17, 2013

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Updated: May 17, 2013

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base	6.8	AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal	5.9	E:ND/RL:OF/RC:C
Environmental	4.4	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

• <https://rhn.redhat.com/errata/RHSA-2013-0830.html&gt;
• <http://www.debian.org/security/2013/dsa-2669&gt;
• <http://www.ubuntu.com/usn/usn-1825-1/&gt;
• <http://www.ubuntu.com/usn/usn-1826-1/&gt;
• <http://www.ubuntu.com/usn/usn-1827-1/&gt;
• <http://www.ubuntu.com/usn/usn-1828-1/&gt;
• <http://lists.centos.org/pipermail/centos-announce/2013-May/019729.html&gt;
• <http://lists.centos.org/pipermail/centos-announce/2013-May/019733.html&gt;
• <https://bugzilla.redhat.com/show_bug.cgi?id=962792&gt;
• <https://bugzilla.redhat.com/show_bug.cgi?id=962792#c16&gt;
• <https://bugzilla.redhat.com/show_bug.cgi?id=962799&gt;
• <http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b0a873ebbf87bf38bf70b5e39a7cadc96099fa13&gt;
• <http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/kernel/events/core.c?id=8176cced706b5e5d15887584150764894e94e02f&gt;
• <http://packetstormsecurity.com/files/121616/semtex.c&gt;
• <http://lkml.indiana.edu/hypermail/linux/kernel/1304.1/03652.html&gt;
• <http://www.reddit.com/r/netsec/comments/1eb9iw/sdfucksheeporgs_semtexc_local_linux_root_exploit/c9ykrck&gt;

Acknowledgements

Tommi Rantala discovered this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs:	CVE-2013-2094
Date Public:	2013-05-14 Date First Published: