How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 [ 19/June/2017 ] ============================================================ [![](https://www.cyberciti.biz/media/new/category/old/linux-logo.png)][12] Avery serious security problem has been found in the Linux kernel called “The Stack Clash.” It can be exploited by attackers to corrupt memory and execute arbitrary code. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative/root account privileges. How do I fix this problem on Linux? [![the-stack-clash-on-linux-openbsd-netbsd-freebsd-solaris](https://www.cyberciti.biz/media/new/faq/2017/06/the-stack-clash-on-linux-openbsd-netbsd-freebsd-solaris.jpeg)][22] The Qualys Research Labs discovered various problems in the dynamic linker of the GNU C Library (CVE-2017-1000366) which allow local privilege escalation by clashing the stack including Linux kernel. This bug affects Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64\. It can be exploited by attackers to corrupt memory and execute arbitrary code. ### What is CVE-2017-1000364 bug? [From RHN][13]: > A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. [As per the original research post][14]: > Each program running on a computer uses a special memory region called the stack. This memory region is special because it grows automatically when the program needs more stack memory. But if it grows too much and gets too close to another memory region, the program may confuse the stack with the other memory region. An attacker can exploit this confusion to overwrite the stack with the other memory region, or the other way around. ### A list of affected Linux distros 1. Red Hat Enterprise Linux Server 5.x 2. Red Hat Enterprise Linux Server 6.x 3. Red Hat Enterprise Linux Server 7.x 4. CentOS Linux Server 5.x 5. CentOS Linux Server 6.x 6. CentOS Linux Server 7.x 7. Oracle Enterprise Linux Server 5.x 8. Oracle Enterprise Linux Server 6.x 9. Oracle Enterprise Linux Server 7.x 10. Ubuntu 17.10 11. Ubuntu 17.04 12. Ubuntu 16.10 13. Ubuntu 16.04 LTS 14. Ubuntu 12.04 ESM (Precise Pangolin) 15. Debian 9 stretch 16. Debian 8 jessie 17. Debian 7 wheezy 18. Debian unstable 19. SUSE Linux Enterprise Desktop 12 SP2 20. SUSE Linux Enterprise High Availability 12 SP2 21. SUSE Linux Enterprise Live Patching 12 22. SUSE Linux Enterprise Module for Public Cloud 12 23. SUSE Linux Enterprise Build System Kit 12 SP2 24. SUSE Openstack Cloud Magnum Orchestration 7 25. SUSE Linux Enterprise Server 11 SP3-LTSS 26. SUSE Linux Enterprise Server 11 SP4 27. SUSE Linux Enterprise Server 12 SP1-LTSS 28. SUSE Linux Enterprise Server 12 SP2 29. SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 ### Do I need to reboot my box? Yes, as most services depends upon the dynamic linker of the GNU C Library and kernel itself needs to be reloaded in memory. ### How do I fix CVE-2017-1000364 on Linux? Type the commands as per your Linux distro. You need to reboot the box. Before you apply patch, note down your current kernel version: `$ uname -a $ uname -mrs` Sample outputs: ``` Linux 4.4.0-78-generic x86_64 ``` ### Debian or Ubuntu Linux Type the following [apt command][15]/[apt-get command][16] to apply updates: `$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade` Sample outputs: ``` Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages will be upgraded: libc-bin libc-dev-bin libc-l10n libc6 libc6-dev libc6-i386 linux-compiler-gcc-6-x86 linux-headers-4.9.0-3-amd64 linux-headers-4.9.0-3-common linux-image-4.9.0-3-amd64 linux-kbuild-4.9 linux-libc-dev locales multiarch-support 14 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/62.0 MB of archives. After this operation, 4,096 B of additional disk space will be used. Do you want to continue? [Y/n] y Reading changelogs... Done Preconfiguring packages ... (Reading database ... 115123 files and directories currently installed.) Preparing to unpack .../libc6-i386_2.24-11+deb9u1_amd64.deb ... Unpacking libc6-i386 (2.24-11+deb9u1) over (2.24-11) ... Preparing to unpack .../libc6-dev_2.24-11+deb9u1_amd64.deb ... Unpacking libc6-dev:amd64 (2.24-11+deb9u1) over (2.24-11) ... Preparing to unpack .../libc-dev-bin_2.24-11+deb9u1_amd64.deb ... Unpacking libc-dev-bin (2.24-11+deb9u1) over (2.24-11) ... Preparing to unpack .../linux-libc-dev_4.9.30-2+deb9u1_amd64.deb ... Unpacking linux-libc-dev:amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ... Preparing to unpack .../libc6_2.24-11+deb9u1_amd64.deb ... Unpacking libc6:amd64 (2.24-11+deb9u1) over (2.24-11) ... Setting up libc6:amd64 (2.24-11+deb9u1) ... (Reading database ... 115123 files and directories currently installed.) Preparing to unpack .../libc-bin_2.24-11+deb9u1_amd64.deb ... Unpacking libc-bin (2.24-11+deb9u1) over (2.24-11) ... Setting up libc-bin (2.24-11+deb9u1) ... (Reading database ... 115123 files and directories currently installed.) Preparing to unpack .../multiarch-support_2.24-11+deb9u1_amd64.deb ... Unpacking multiarch-support (2.24-11+deb9u1) over (2.24-11) ... Setting up multiarch-support (2.24-11+deb9u1) ... (Reading database ... 115123 files and directories currently installed.) Preparing to unpack .../0-libc-l10n_2.24-11+deb9u1_all.deb ... Unpacking libc-l10n (2.24-11+deb9u1) over (2.24-11) ... Preparing to unpack .../1-locales_2.24-11+deb9u1_all.deb ... Unpacking locales (2.24-11+deb9u1) over (2.24-11) ... Preparing to unpack .../2-linux-compiler-gcc-6-x86_4.9.30-2+deb9u1_amd64.deb ... Unpacking linux-compiler-gcc-6-x86 (4.9.30-2+deb9u1) over (4.9.30-2) ... Preparing to unpack .../3-linux-headers-4.9.0-3-amd64_4.9.30-2+deb9u1_amd64.deb ... Unpacking linux-headers-4.9.0-3-amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ... Preparing to unpack .../4-linux-headers-4.9.0-3-common_4.9.30-2+deb9u1_all.deb ... Unpacking linux-headers-4.9.0-3-common (4.9.30-2+deb9u1) over (4.9.30-2) ... Preparing to unpack .../5-linux-kbuild-4.9_4.9.30-2+deb9u1_amd64.deb ... Unpacking linux-kbuild-4.9 (4.9.30-2+deb9u1) over (4.9.30-2) ... Preparing to unpack .../6-linux-image-4.9.0-3-amd64_4.9.30-2+deb9u1_amd64.deb ... Unpacking linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ... Setting up linux-libc-dev:amd64 (4.9.30-2+deb9u1) ... Setting up linux-headers-4.9.0-3-common (4.9.30-2+deb9u1) ... Setting up libc6-i386 (2.24-11+deb9u1) ... Setting up linux-compiler-gcc-6-x86 (4.9.30-2+deb9u1) ... Setting up linux-kbuild-4.9 (4.9.30-2+deb9u1) ... Setting up libc-l10n (2.24-11+deb9u1) ... Processing triggers for man-db (2.7.6.1-2) ... Setting up libc-dev-bin (2.24-11+deb9u1) ... Setting up linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u1) ... /etc/kernel/postinst.d/initramfs-tools: update-initramfs: Generating /boot/initrd.img-4.9.0-3-amd64 cryptsetup: WARNING: failed to detect canonical device of /dev/md0 cryptsetup: WARNING: could not determine root device from /etc/fstab W: initramfs-tools configuration sets RESUME=UUID=054b217a-306b-4c18-b0bf-0ed85af6c6e1 W: but no matching swap device is available. I: The initramfs will attempt to resume from /dev/md1p1 I: (UUID=bf72f3d4-3be4-4f68-8aae-4edfe5431670) I: Set the RESUME variable to override this. /etc/kernel/postinst.d/zz-update-grub: Searching for GRUB installation directory ... found: /boot/grub Searching for default file ... found: /boot/grub/default Testing for an existing GRUB menu.lst file ... found: /boot/grub/menu.lst Searching for splash image ... none found, skipping ... Found kernel: /boot/vmlinuz-4.9.0-3-amd64 Found kernel: /boot/vmlinuz-3.16.0-4-amd64 Updating /boot/grub/menu.lst ... done Setting up libc6-dev:amd64 (2.24-11+deb9u1) ... Setting up locales (2.24-11+deb9u1) ... Generating locales (this might take a while)... en_IN.UTF-8... done Generation complete. Setting up linux-headers-4.9.0-3-amd64 (4.9.30-2+deb9u1) ... Processing triggers for libc-bin (2.24-11+deb9u1) ... ``` Reboot your server/desktop using [reboot command][17]: `$ sudo reboot` ### Oracle/RHEL/CentOS/Scientific Linux Type the following [yum command][18]: `$ sudo yum update $ sudo reboot` ### Fedora Linux Type the following dnf command: `$ sudo dnf update $ sudo reboot` ### Suse Enterprise Linux or Opensuse Linux Type the following zypper command: `$ sudo zypper patch $ sudo reboot` ### SUSE OpenStack Cloud 6 `$ sudo zypper in -t patch SUSE-OpenStack-Cloud-6-2017-996=1 $ sudo reboot` ### SUSE Linux Enterprise Server for SAP 12-SP1 `$ sudo zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-996=1 $ sudo reboot` ### SUSE Linux Enterprise Server 12-SP1-LTSS `$ sudo zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-996=1 $ sudo reboot` ### SUSE Linux Enterprise Module for Public Cloud 12 `$ sudo zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2017-996=1 $ sudo reboot` ### Verification You need to make sure your version number changed after issuing [reboot command][19] `$ uname -a $ uname -r $ uname -mrs` Sample outputs: ``` Linux 4.4.0-81-generic x86_64 ``` ### A note about OpenBSD users See [this page][20] for more info. ### A note about Oracle Solaris [See this page][21] for more info. ### References: * [The Stack Clash][4] -------------------------------------------------------------------------------- 作者简介: Vivek Gite The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on [Twitter][1], [Facebook][2], [Google+][3]. -------------------------------------------------------------------------------- via: https://www.cyberciti.biz/faq/howto-patch-linux-kernel-stack-clash-vulnerability-cve-2017-1000364/ 作者:[Vivek Gite ][a] 译者:[译者ID](https://github.com/译者ID) 校对:[校对者ID](https://github.com/校对者ID) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 [a]:https://plus.google.com/+CybercitiBiz [1]:https://twitter.com/nixcraft [2]:https://facebook.com/nixcraft [3]:https://plus.google.com/+CybercitiBiz [4]:https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash [5]:https://www.cyberciti.biz/faq/howto-patch-linux-kernel-stack-clash-vulnerability-cve-2017-1000364/ [6]:https://www.cyberciti.biz/faq/category/centos/ [7]:https://www.cyberciti.biz/faq/category/debian-ubuntu/ [8]:https://www.cyberciti.biz/faq/category/linux/ [9]:https://www.cyberciti.biz/faq/category/redhat-and-friends/ [10]:https://www.cyberciti.biz/faq/category/security/ [11]:https://www.cyberciti.biz/faq/category/suse/ [12]:https://www.cyberciti.biz/faq/category/linux/ [13]:https://access.redhat.com/security/cve/cve-2017-1000364 [14]:https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash [15]:https://www.cyberciti.biz/faq/ubuntu-lts-debian-linux-apt-command-examples/ [16]:https://www.cyberciti.biz/tips/linux-debian-package-management-cheat-sheet.html [17]:https://www.cyberciti.biz/faq/linux-reboot-command/ [18]:https://www.cyberciti.biz/faq/rhel-centos-fedora-linux-yum-command-howto/ [19]:https://www.cyberciti.biz/faq/linux-reboot-command/ [20]:https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/008_exec_subr.patch.sig [21]:http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-3757403.html [22]:https://www.cyberciti.biz/media/new/faq/2017/06/the-stack-clash-on-linux-openbsd-netbsd-freebsd-solaris.jpeg