Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @

EGI CSIRT:Alerts/kernel-2013-05-14

From EGIWiki
Revision as of 17:18, 14 May 2013 by Tdussa (talk | contribs)
Jump to navigation Jump to search
** WHITE information - Unlimited distribution allowed                       **
** see for distribution restrictions **


Title:       Linux kernel perf_event vulnerability (CVE-2013-2094) [EGI-ADV-20130514]
Date:        2013-05-14
Updated:     2013-05-14


Update Summary

 + 2013-05-14: Initial revision.


A recently-discovered vulnerability in the Linux kernel allows a local user to escalate their privilege level and gain root access.  Working exploit code is publicly available.


The performance measurement subsystem in the Linux kernel incorrectly casts a 64-bit integer into a 32-bit integer which is subsequently used for array dereferencing.  Providing carefully chosen integers as input allows arbitrary code to be executed.

The erroneous code has been introduced in kernel version 2.6.37-3.8.8 (commit b0a873ebbf87bf38bf70b5e39a7cadc96099fa13 on 2010-09-09) and is fixed in kernel version 3.8.9 (commit 8176cced706b5e5d15887584150764894e94e02f on 2013-04-15).  Additionally, the vulnerability was backported to 2.6.32 kernels by Red Hat.

Working exploit code is publicly available.  This code will not work on all vulnerable distributions; however, it appears to work on RHEL 6 and derived systems.

Risk Category

This issue has been assessed as CRITICAL risk by the EGI CSIRT as a working exploit is publicly available.

Affected Software

 + Linux kernels 2.6.36-3.8.8 through 3.8.9.
 + Linux kernels 2.6.32 with Red Hat backports.


There is no known mitigation that completely addresses the issue.  However, disabling user-level kernel profiling prevents the published exploit code from working correctly.  This (incomplete) mitigation can be done by running
  sysctl kernel.perf_event_paranoid=2
as root.

Component Installation information

For many distributions, patched kernel packages are available.  Refer to your
distro's information channels.


It is recommended that sites implement the mitigation described above unless kernel profiling is essential and upgrade their kernels as soon as possible as they become available for their respective distributions.


 + Mitre:
 + OSS-Sec:
 + Debian:
 + Red Hat:
 + Ubuntu: