A story published yesterday by SearchEnterpriseLinux.com incorrectly reported that a third mremap vulnerability had been discovered in the Linux kernel.
Separate and unrelated flaws had been reported in the memory management system call in January and February. On March 1, researcher Paul Starzetz released an update to his initial advisory that a robust proof-of-concept exploit code had been produced for the flaw detailed in February.
"The vulerability is very easy to exploit once you have got local (shell) access to the system," Starzetz said in an e-mail to SearchEnterpriseLinux.com.
The flaws enable attackers to gain root access to vulnerable systems, Starzetz said.
"Both bugs have been found in the same piece of code. The first one [released Jan. 5] was due to invalid argument input to the mremap system call. The second [released Jan. 18] concerns an unchecked use of the do_munmap internal kernel function inside the mremap code which may be forced to fail by preparing the virtual memory of the calling process in a special way," Starzetz said.
The flaw, deemed critical, was discovered by Starzetz and his research team at Polish security consultancy ISec. Kernel versions up to and including 2.2.25, 2.4 to 2.4.24 and 2.6 and up are affected and should be repaired immediately by downloading fixes from kernel.org or a Linux distributor.
"Since no special privileges are required to use the mremap system call any process may use its unexpected behavior to disrupt the kernel memory management subsystem," said an alert from iSec. "Proper exploitation of this vulnerability leads to local privilege escalation giving an attacker full super-user privileges."