CVE-2019-13272
Published: 17 July 2019
Summary
CVE-2019-13272 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a flaw in the Linux kernel prior to version 5.1.17 within the ptrace_link function in kernel/ptrace.c. It stems from improper handling of credential recording when establishing a ptrace relationship, combined with an object lifetime issue and incorrect privilege marking on the relationship. This affects local process interactions on affected kernels and can be triggered through mechanisms such as Polkit's pkexec helper using PTRACE_TRACEME.
Local users can exploit the issue in scenarios involving a parent-child process relationship where the parent drops privileges before calling execve. Successful exploitation grants the attacker root privileges on the system, with a CVSS score of 7.8 reflecting high impact on confidentiality, integrity, and availability from a local, low-complexity attack.
Advisories referenced in the CVE, including Slackware kernel updates and Canonical kernel live patch notices, indicate that mitigation is achieved by applying the upstream kernel patch to version 5.1.17 or later. The description also notes that SELinux with deny_ptrace enabled may serve as a partial workaround in certain environments. Public exploit code for the PTRACE_TRACEME local root technique has been published, confirming practical exploitability on unpatched systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-4779
Vulnerability details
In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child…
more
process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
- CWE(s)
- KEV Date Added
- 10 December 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the upstream kernel patch (to 5.1.17+) that corrects the ptrace_link credential and lifetime flaw.
Enforces the kernel's access-control decision on PTRACE_TRACEME and ptrace relationships so an unprivileged child cannot obtain root credentials.
Maintains separate execution domains between processes, limiting the ability of a dropped-privilege parent/child pair to misuse ptrace for privilege escalation.