CVE-2010-3904

What is the Linux Kernel RDS Protocol?

The Linux kernel's Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed for high-performance, low-latency communication between nodes in a cluster — particularly in Oracle RAC (Real Application Clusters) database environments where it was primarily developed. RDS provides reliable, ordered datagram delivery over InfiniBand or TCP transports. The RDS implementation was added to the Linux kernel in 2.6.26 (2008) to support Oracle clustering workloads. RDS is a less commonly known kernel subsystem, but its presence on any Linux system compiled with RDS support (common in Red Hat Enterprise Linux and Oracle Linux distributions) created an exploitable local privilege escalation path.

Overview

CVE-2010-3904 is a high-severity local privilege escalation vulnerability (CWE-1284, CVSS 7.8) in the Linux kernel's RDS (Reliable Datagram Sockets) protocol implementation. The kernel fails to properly validate a quantity in the rds_page_copy_user() function when processing sendmsg and recvmsg system calls, allowing a local user to gain root privileges via crafted system calls. The vulnerability is reliable, requires no special privileges beyond the ability to create RDS sockets, and was publicly disclosed with a working exploit. CISA added to KEV in May 2023; the requiredAction notes that impacted (end-of-life) kernels should be disconnected.

Affected Versions

Note: Systems where RDS is compiled as a module but not loaded are not exploitable. The CONFIG_RDS kernel configuration option determines whether RDS is compiled in. The affected kernel versions are end-of-life.

Technical Details

The vulnerability (CWE-1284: Improper Validation of Specified Quantity in Input) exists in the rds_page_copy_user() function in the kernel's RDS implementation. This function copies data between kernel memory and user space when processing RDS socket operations. The function fails to properly validate the len parameter — the quantity of data to be copied — before using it in a memory operation.

A local attacker with access to RDS sockets can call sendmsg() or recvmsg() with crafted parameters that pass a negative or oversized length value. The inadequate validation allows the copy operation to write to arbitrary kernel memory locations, overwriting kernel data structures including privilege-related data (such as the cred struct for the process). By overwriting the current process's credential structure, the attacker can escalate their effective user ID to root (UID 0), gaining full system administrator privileges.

A reliable public exploit was disclosed alongside the vulnerability report. The exploit was straightforward: create an RDS socket, call sendmsg with crafted parameters, and observe the resulting root shell. This simplified exploitation made CVE-2010-3904 a popular local privilege escalation tool in post-exploitation toolkits throughout the 2010s.

Discovery

Discovered and published by Dan Rosenberg of Virtual Security Research (VSR). Rosenberg disclosed the vulnerability with a full working exploit in October 2010, allowing system administrators to test whether their systems were vulnerable before patches were widely available. The public exploit significantly accelerated exploitation of the vulnerability in the wild. The kernel patch was committed to the mainline kernel tree on October 30, 2010, shortly after disclosure.

Exploitation Context

Linux kernel local privilege escalation vulnerabilities are invaluable as second-stage exploit tools:

• Post-exploitation privilege escalation: CVE-2010-3904 was widely used as a second-stage privilege escalation tool after attackers gained initial code execution at a low-privilege level (e.g., through a web application vulnerability, SSH credential compromise, or container escape). The reliable public exploit made it a standard component of attacker toolkits targeting Linux servers.
• Shared hosting environments: In hosting environments where multiple customers shared the same physical or virtual server, CVE-2010-3904 allowed a compromised customer account to escalate to root and potentially access data from other customers.
• Container escape context: Even in early container deployments, local privilege escalation vulnerabilities in the host kernel could break container isolation.
• Long persistence of vulnerable kernels: Linux kernels are notoriously slow to update in production environments. Enterprise Linux systems running RHEL 5 or RHEL 6 with older kernel versions remained vulnerable for years after the patch was available.
• CISA 2023 KEV addition: The May 2023 KEV addition — more than 12 years after the patch — reflects CISA's intelligence that vulnerable legacy Linux systems in critical infrastructure were being actively exploited, likely as local privilege escalation steps in multi-stage attacks.

Remediation

1. Apply kernel security update: Update to Linux kernel 2.6.37 or later, or apply the upstream patch to the affected kernel version. For RHEL/CentOS, apply the Red Hat Security Advisory (RHSA) for the affected version.
2. Disable RDS module: If RDS is not needed (which is the case for most non-Oracle-clustering workloads), blacklist the RDS module: add blacklist rds to /etc/modprobe.d/blacklist.conf. This prevents the module from loading even if it is compiled in.
3. Upgrade operating system: Systems running kernel 2.6.26-2.6.36 should be upgraded to a supported OS with a patched kernel (RHEL 7+, Ubuntu 18.04+, or current versions of other distributions).
4. Decommission legacy systems: CISA's requiredAction states that impacted end-of-life products should be disconnected. Systems that cannot be updated should be isolated from the network or decommissioned.