Detections
Analytics
RancherOS < 1.1.1 Privilege Escalation (Dirty COW)
high Nessus Plugin ID 132249
Language:
Synopsis
The remote device is missing a vendor-supplied security patchDescription
The remote host is running a version of RancherOS that is prior to v.1.1.1, hence is vulnerable to a privilege escalation vulnerability.The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original Dirty cow because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.
Solution
Update to RancherOS v1.1.1 or laterSee Also
Plugin Details
Severity: High
ID: 132249
File Name: rancheros_1_1_1.nasl
Version: 1.5
Type: local
Family: Misc.
Published: 12/19/2019
Updated: 1/28/2021
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Critical
Score: 9.0
CVSS v2
Risk Factor: High
Base Score: 7.2
Temporal Score: 6.3
Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2017-6074
CVSS v3
Risk Factor: High
Base Score: 7.8
Temporal Score: 7.5
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:rancher:rancheros
Required KB Items: Host/local_checks_enabled, Host/RancherOS/version, Host/RancherOS
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 12/10/2017
Vulnerability Publication Date: 11/30/2017
Exploitable With
Core Impact
Reference Information
CVE: CVE-2017-6074
BID: 102032