- Recent Linux Kernel versions are vulnerable to a complicated scenario of exploitation.
- The primary source of the problem is a module that concerns the implementation of RDS over TCP.
- Users can either upgrade to a later kernel version or simply blacklist the particular module.
Red Hat engineers have discovered a flaw in Linux kernel’s implementation of RDS (Remote Desktop Protocol) over TCP (Transmission Control Protocol), assigning it the identifier “CVE-2019-11815”. According to the security experts, a system that has the rds_tcp kernel module loaded either manually or automatically (by a local process), could potentially allow an attacker to manipulate the socket state based on a “use-after-free” condition, and carry out memory corruption and privilege escalation on the target system. Updating the kernel version on your Linux distribution to the 5.1 stable branch plugs the vulnerability.
If you can’t do that for any reason, or if you don’t want to deal with kernel compilations and to take care of dependencies, you may simply blacklist the “rds.ko” module. To do this, check what kernel modules are running on your Linux distribution by opening a terminal and giving the “lsmod” command. There you’ll see if the particular module is running, as well as how many processes are using it. If it’s running, you may remove it with “sudo modprobe -r <module name>”, or blacklist it with “blacklist <module name>”. This latter solution was the Ubuntu response on the matter, so the problem was taken care until a newer Kernel version gets adequately tested and rolled out to the users of the popular distro.
That said, not all distributions are equally eager to push kernel updates as soon as these become available. It also depends on what repositories the user has activated, as some power users are using “testing” or “bleeding-edge” repos that deliver kernel updates while they’re hot. If you are using Fedora, for example, it is likely that you have already received a version of the 5.1 branch. If you are using Debian stable, you’re still stuck with the 4.9 branch. Whatever Linux distribution you’re using, you may check the version of your Kernel package by using the “uname -r” command on a terminal. For a more verbose result, use the “uname -a” instead.
Right now, there have been no known cases of exploitation of the aforementioned flaw, and the security experts consider this vulnerability to be very complicated to exploit. Still, considering the critical role that Linux systems around the world usually have, admins should not rely on complexity alone as a protective layer. Updating is still your best friend, as always.
What Linux distribution are you using, and which kernel version does it currently running on? Let us know in the comments down below, and help us spread the word of warning by sharing this post through our socials, on Facebook and Twitter.