New Kernel Vulnerability Allows Local Root For Unprivileged Processes

There is yet another new Linux kernel vulnerability being disclosed today that allows for unprivileged processes to gain kernel code execution abilities.

This new vulnerability is CVE-2016-8655 but it doesn't seem to be getting too much attention yet. CVE-2016-8655 comes down to a race condition within the af_packet.c code for gaining local root access. The researcher that found it was able to write an exploit to gain root shell on an Ubuntu 16.04 LTS system and defeats SMEP/SMAP protection too.

Philip Pettersson, who discovered this issue, is explained via this oss-sec list message. "To create AF_PACKET sockets you need CAP_NET_RAW in your network namespace, which can be acquired by unprivileged processes on systems where unprivileged namespaces are enabled (Ubuntu, Fedora, etc). It can be triggered from within containers to compromise the host kernel. On Android, processes with gid=3004/AID_NET_RAW are able to create AF_PACKET sockets (mediaserver) and can trigger the bug."

This vulnerability to the Linux kernel has been present since 2011. The code was fixed in the mainline kernel last week: so you better go update your kernel. More details on the Red Hat CVE area.