RancherOS < 1.1.1 Privilege Escalation (Dirty COW)

high Nessus Plugin ID 132249

Synopsis

The remote device is missing a vendor-supplied security patch

Description

The remote host is running a version of RancherOS that is prior to v.1.1.1, hence is vulnerable to a privilege escalation vulnerability.

The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original Dirty cow because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.

Solution

Update to RancherOS v1.1.1 or later

See Also

https://rancher.com/docs/os/v1.x/en/about/security/

https://github.com/rancher/os/releases/tag/v1.1.1

Plugin Details

Severity: High

ID: 132249

File Name: rancheros_1_1_1.nasl

Version: 1.5

Type: local

Family: Misc.

Published: 12/19/2019

Updated: 1/28/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.0

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2017-6074

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:rancher:rancheros

Required KB Items: Host/local_checks_enabled, Host/RancherOS/version, Host/RancherOS

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/10/2017

Vulnerability Publication Date: 11/30/2017

Exploitable With

Core Impact

Reference Information

CVE: CVE-2017-6074

BID: 102032