Protecting against CVE-2018-14634 (Mutagen Astronomy)

There is a new exploit, rated as 7.8 severity level,  that affects major Linux distributions of RedHat Enterprise Linux, Debian 8 and CentOS on both VPS servers as well as dedicated servers, called Mutagen Astronomy. Mutagen Astronomy exploits an integer overflow vulnerability in the Linux kernel and supplies root access (admin privileges) to unauthorized users on the intended server. This exploit affects Linux kernel version dating back from July 2007 to July 2017.  Living in the kernel, the memory table can be manipulated to overflow using the create_tables_elf() function. After overwhelming the server, the hacker can then overtake the server with its malicious intents.

As mentioned this vulnerability is present in RedHat, Debian 8 (Debian 9 are not vulnerable), and CentOS 6 and 7 but its limited to affecting only 64-bit versions. The 32-bit versions do not have the address space to overwhelm the server and thus no patch is needed.  Along with 64-bit versions, the exploit is limited to Linux kernel versions 2.6.x, 3.10.x, and 4.14.x. (Read our article How To Check the Kernel Version to see which version you are running)  Proof of concept reported on August 31, 2018, and remediation from a one-year-old patch was backported to most LTS (long-term support) kernels, CentOS and Debian 8 remain vulnerable. Luckily, patches CentOS 6 /7 and RHEL 7 are below but the world waits for RHEL 6 and Debian 8 remedy.  Check back here for updates as they become available.

CentOS 6 and 7 Patch for Mutagen Astronomy

Step 1: Utilizing SystemTap.

Use SystemTap to extract, filter and summarize data to diagnosis performance or functional problems.

yum install systemtap systemtap-runtime


Step 2: Create a File

Using your preferred text editor create a file name mutagenastronomypatch.stp and copy and paste the following info:

// CVE-2018-14634
//
// Theory of operations: adjust the thread's # rlimit-in-effect around
// calls to the vulnerable get_arg_page() function so as to encompass
// the newly required _STK_LIM / 4 * 3 maximum.
// Complication: the rlimit is stored in a current-> structure that
// is shared across the threads of the process. They may concurrently
// invoke this operation.
function clamp_stack_rlim_cur:long ()
%{
struct rlimit *rlim = current->signal->rlim;
unsigned long rlim_cur = READ_ONCE(rlim[RLIMIT_STACK].rlim_cur);
unsigned long limit = _STK_LIM / 4 * 3;
limit *= 4; // multiply it back up, to the scale used by rlim_cur
if (rlim_cur > limit) {
WRITE_ONCE(rlim[RLIMIT_STACK].rlim_cur, limit);
STAP_RETURN(limit);
} else
STAP_RETURN(0);
%}
probe kernel.function("copy_strings").call
{
l = clamp_stack_rlim_cur()
if (l)
printf("lowered process %s(%d) STACK rlim_cur to %p\n",
execname(), pid(), l)
}
probe begin {
printf("CVE-2018-14634 mitigation loaded\n")
}
probe end {
printf("CVE-2018-14634 mitigation unloaded\n")
}Step 3: Run the Script

Lastly, execute the newly created script:

stap -g mutagenastronomypatch.stp

RHEL 7 Patch for Mutagen Astronomy

Step 1: Log in to your CentOS server

ssh root@ip

Step 2: Yum Updates to the Kernel

yum update kernel