FPII-2513 : Elevation of privilege vulnerability in kernel system-call auditing subsystem CVE-2016-6136 A-30956807
High
An elevation of privilege vulnerability in the kernel system-call auditing subsystem could enable a local malicious application to disrupt system-call auditing in the kernel. This issue is rated as High because it is a general bypass for a kernel level defense in depth or exploit mitigation technology.
Additional technical details:
A-30956807
A race condition in the audit_log_single_execve_arg function in kernel/auditsc.c, in the Linux kernel through 4.7, allows local users to bypass intended character-set restrictions or disrupt system-call auditing by changing a certain string (a "double fetch" vulnerability.)
The fix is designed to only fetch argument data once into a buffer where it is scanned and logged into the audit records preventing the race condition.
Link to publicly available patch:
Upstream kernel patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=43761473c254b45883a64441dd0bc85a42f3645c
Code snippet provided in bulletin patches zip file for kernel 3.10.
Change-Id: I9b6b14f84683d90ec8b725044f5b8e670e1f3377
1 file changed