Flash Notice: StackRot, a New Linux Kernel Vulnerability

July 10, 2023

overview

A security vulnerability, tracked as CVE-2023-3269 or StackRot, has been discovered in the Linux kernel. This flaw could potentially give an attacker elevated privileges on a targeted host. With a CVSS score of 7.8, the vulnerability is located within the memory management subsystem and affects nearly all kernel configurations. It can be triggered with minimal capabilities. StackRot refers to the handling of stack expansion in the Linux kernel, which involves the automatic growth or expansion of stack memory for a running process.

StackRot allows a local user to exploit a vulnerability known as "use-after-free." By taking advantage of this bug, the attacker can compromise the kernel and gain higher privileges. This exploit occurs because the maple tree (a data structure) can replace its nodes without properly acquiring the necessary permission.

CVE-2023-3269 impacts Linux versions 6.1 through 6.4. Security researcher Ruihan Li of Peking University in China discovered the vulnerability and stated that it will be challenging to exploit. He stated that “maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging”.

Although CVE-2023-3269 has not been exploited in the wild, it is recommended that users apply patches immediately, as the proof-of-concept is expected to be publicly available by the end of the month.

avertium's recommendationS

After reporting the vulnerability to Linux, Ruihan Li worked with Linux to come up with a fix. The fix for the vulnerability has been merged into Linux Torvalds' tree and backported to kernels ([6.1.37][6.1], [6.3.11][6.3], and [6.4.1][6.4]). The backported patches fixed the StackRot bug on July 1, 2023.

Organizations should verify if the patches have been applied to the Linux systems in their environment. The absence of the patches could indicate a vulnerable system.

The StackRot vulnerability is a type of use-after-free vulnerability. Organizations should be alert to any signs of memory-related issues, such as crashes, abnormal behavior, or errors that could indicate the exploitation of use-after-free vulnerabilities.

INDICATORS OF COMPROMISE (IoCs)

At this time, there are no known IoCs associated with CVE-2023-3269. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.

How Avertium is Protecting Our CUSTOMERS

Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:
- Risk Assessments
- Pen Testing and Social Engineering
- Infrastructure Architecture and Integration
- Vulnerability Management
Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
Avertium offers Vulnerability Management (VM) to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.