An error occurred:

Check: RHEL-08-010421

RHEL 8 STIG: RHEL-08-010421 (in versions v1 r14 through v1 r4)

Title

RHEL 8 must clear the page allocator to prevent use-after-free attacks. (Cat II impact)

Discussion

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. Satisfies: SRG-OS-000134-GPOS-00068, SRG-OS-000433-GPOS-00192

Check Content

Verify that GRUB 2 is configured to enable page poisoning to mitigate use-after-free vulnerabilities with the following commands: Check that the current GRUB 2 configuration has page poisoning enabled: $ sudo grub2-editenv list | grep page_poison kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 If "page_poison" is not set to "1" or is missing, this is a finding. Check that page poisoning is enabled by default to persist in kernel updates: $ sudo grep page_poison /etc/default/grub GRUB_CMDLINE_LINUX="page_poison=1" If "page_poison" is not set to "1", is missing or commented out, this is a finding.

Fix Text

Configure RHEL 8 to enable page poisoning with the following commands: $ sudo grubby --update-kernel=ALL --args="page_poison=1" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="page_poison=1"

Additional Identifiers

Rule ID: SV-230277r792884_rule

Vulnerability ID: V-230277

Group Title: SRG-OS-000134-GPOS-00068

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001084

The information system isolates security functions from nonsecurity functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-3

Security Function Isolation