STE WILLIAMS

An advisory from Cisco issued last Friday, October 13th, gave us the heads-up on a local privilege escalation vulnerability in the Advanced Linux Sound Architecture (ALSA).

The bug is designated CVE-2017-15265, but its Mitre entry was still marked “reserved” at the time of writing. Cisco, however, had this to say about it before release:

“The vulnerability is due to a use-after-free memory error in the ALSA sequencer interface of the affected application. An attacker could exploit this vulnerability by running a crafted application on a targeted system. A successful exploit could allow the attacker to gain elevated privileges on the targeted system.”

The bug first went public when the patch was merged to the ALSA git tree, according to this discussion at SUSE’s Bugzilla.

Turned up by ADLab of Venustech, the use-after-free is triggered by a slip in snd_seq_create_port().

That routine “creates a port object and returns its pointer, but it doesn’t take the refcount, thus it can be deleted immediately by another thread. Meanwhile, snd_seq_ioctl_create_port() still calls the function snd_seq_system_client_ev_port_start() with the created port object that is being deleted, and this triggers use-after-free”.

While it’s only exploitable locally, the privilege escalation is what earned the bug a “high” severity rating, and of course everybody using a downstream distribution that embeds the vulnerable ALSA will have to push patches. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/15/advanced_linux_sound_architecture_vulnerable_to_privilege_escalation/