Source: secalert@redhat.com
Linux kernel before 2.6.18, when running on x86_64 systems, does not properly save or restore EFLAGS during a context switch, which allows local users to cause a denial of service (crash) by causing SYSENTER to set an NT flag, which can trigger a crash on the IRET of the next task.
Critical vulnerability in older Linux kernels (pre-2.6.18) on x86_64 systems allows local users to trigger a denial-of-service (DoS) condition. The flaw stems from improper handling of the EFLAGS register during context switches, enabling attackers to crash the system by manipulating the NT flag via the SYSENTER instruction, leading to a system halt.
Step 1: System Call Initiation: A local user triggers a system call, potentially using SYSENTER. Step 2: NT Flag Manipulation: The system call, or a malicious process, somehow sets the NT flag in the EFLAGS register. Step 3: Context Switch: The kernel performs a context switch, switching from the malicious process to another task. Step 4: EFLAGS Corruption: The kernel fails to properly save the EFLAGS register, including the manipulated NT flag. Step 5: IRET Execution: When the next task attempts to return from a system call (via IRET), the kernel checks the NT flag. Step 6: Crash Trigger: Because the NT flag is set, the kernel attempts to return to a non-existent task, leading to a system crash and DoS.
The vulnerability lies in the x86_64 architecture's context switching mechanism within the Linux kernel. Specifically, the kernel fails to correctly save and restore the EFLAGS register during a task switch. The EFLAGS register contains various processor flags, including the NT (Nested Task) flag. The SYSENTER instruction, used for fast system calls, can be manipulated to set the NT flag. When the kernel later attempts to return from the system call (via IRET), the presence of the set NT flag, which should not be set in this context, causes the kernel to attempt to return to a non-existent task, resulting in a crash. The root cause is a missing or incorrect instruction to save and restore the EFLAGS register, leading to a state corruption issue. This is a memory corruption issue, though not a traditional buffer overflow or heap overflow.
Due to the age of the vulnerability, it's unlikely to be directly targeted by sophisticated APTs. However, it could be leveraged in conjunction with other vulnerabilities in a chained attack. The vulnerability is not listed on the CISA KEV.
Analyze system logs for unexpected reboots or kernel panics, especially on x86_64 systems.
Monitor system calls using tools like strace or kernel tracing facilities for suspicious behavior related to SYSENTER and IRET.
Examine crash dumps (if available) for evidence of EFLAGS corruption or invalid task returns.
Use file integrity monitoring tools to detect any changes to kernel modules or system binaries that could indicate exploitation attempts.
Upgrade the Linux kernel to version 2.6.18 or later. This is the primary and most effective remediation.
Apply security patches provided by the Linux distribution vendor for the specific kernel version.
Implement a robust patch management strategy to ensure timely application of security updates.
Isolate vulnerable systems on a separate network segment to limit the impact of a potential exploit.
Implement host-based intrusion detection systems (HIDS) to monitor for suspicious activity.
Regularly audit system configurations to ensure proper security settings.