Source: cve@mitre.org
Linux 2.1.132 and earlier allows local users to cause a denial of service (resource exhaustion) by reading a large buffer from a random device (e.g. /dev/urandom), which cannot be interrupted until the read has completed.
Local users can trigger a denial-of-service (DoS) condition on Linux systems (versions 2.1.132 and earlier) by reading a large amount of data from a random device like /dev/urandom. This vulnerability leads to resource exhaustion as the read operation blocks indefinitely, preventing other processes from accessing system resources.
Step 1: User Access: A local user, with access to the vulnerable system, initiates the attack.
Step 2: Read Request: The user executes a command to read a large amount of data from a random device, typically /dev/urandom.
Step 3: Kernel Block: The kernel begins filling the requested buffer with random data from the device. Because of the vulnerability, this process cannot be interrupted.
Step 4: Resource Exhaustion: The read operation consumes significant system resources (CPU cycles, memory, and potentially I/O bandwidth) while blocking other processes.
Step 5: Denial of Service: The system becomes unresponsive or severely degraded due to resource exhaustion, effectively causing a DoS.
The vulnerability stems from the lack of interruptibility during read operations from random devices in Linux kernel versions 2.1.132 and earlier. The kernel's implementation of reading from devices like /dev/urandom did not allow for preemption or interruption of the read process. When a local user initiated a read of a large buffer from /dev/urandom, the kernel would block until the entire buffer was filled with random data. This blocking behavior effectively consumed system resources, preventing other processes from running and leading to a DoS. The root cause is a design flaw: the absence of a mechanism to interrupt or limit the read operation, coupled with the potential for unbounded data requests. There is no buffer overflow or race condition in this specific vulnerability, but the lack of interruptibility is the key flaw.
Due to the age of the vulnerability and the specific kernel versions affected, it is unlikely to be targeted by sophisticated APTs. However, any attacker with local access could exploit it. This vulnerability is not listed in the CISA KEV catalog.
Monitor system resource usage (CPU, memory, I/O) for unusually high or sustained consumption by a single process, especially if the process is reading from /dev/urandom or similar random devices.
Analyze process activity for long-running read operations from /dev/urandom or other random devices.
Examine system logs for indications of resource exhaustion, such as processes being killed by the OOM killer or system unresponsiveness.
Implement file integrity monitoring to detect unauthorized access or modification of system files, including those related to device drivers or kernel modules.
Upgrade to a patched Linux kernel version (2.1.133 or later).
Limit the amount of data that can be read from random devices, if possible, using resource limits or other mechanisms.
Implement monitoring and alerting to detect and respond to resource exhaustion events.
Apply the principle of least privilege, restricting user access to system resources, including random devices.
Regularly update and patch the system to address any known vulnerabilities.