Vigil@nce - Linux kernel RT: denial of service via Ping SysRq
June 2016 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can send a Ping packet to use a SysRq command on the
Linux kernel with the RT patch, in order to trigger a denial of
service.
Impacted products: Linux.
Severity: 1/4.
Creation date: 17/05/2016.
DESCRIPTION OF THE VULNERABILITY
The kernel-rt patch can be applied on the Linux kernel.
This patch contains a debugging feature enabled via
/sys/kernel/debug/network_sysrq_enable. It allows to remotely send
an ICMP Echo (ping) packet containing a SysRq command to run (stop
processes, reboot, etc.).
This sysRq command is only executed if the ICMP packet contains
the expected cookie. However, a remote attacker can perform a
brute force to find this cookie (a local attacker can merely read
the /sys/kernel/debug/network_sysrq_magic file).
An attacker can therefore send a Ping packet to use a SysRq
command on the Linux kernel with the RT patch, in order to trigger
a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Linux-kernel-RT-denial-of-service-via-Ping-SysRq-19618