Slashdot Mirror

← Back to Stories (view on slashdot.org)

5-Year-Old Linux Kernel Bug Fixed

Posted by Soulskill on from the must-have-been-union dept.

rastos1 sends in a report about a significant bug fix for the Linux kernel (CVE-2014-0196). "'The memory-corruption vulnerability, which was introduced in version 2.6.31-rc3, released no later than 2009, allows unprivileged users to crash or execute malicious code on vulnerable systems, according to the notes accompanying proof-of-concept code available here. The flaw resides in the n_tty_write function controlling the Linux pseudo tty device. 'This is the first serious privilege escalation vulnerability since the perf_events issue (CVE-2013-2049) in April 2013 that is potentially reliably exploitable, is not architecture or configuration dependent, and affects a wide range of Linux kernels (since 2.6.31),' Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars in an e-mail. 'A bug this serious only comes out once every couple years.' ... While the vulnerability can be exploited only by someone with an existing account, the requirement may not be hard to satisfy in hosting facilities that provide shared servers, Rosenberg said."

61 of 127 comments (clear)

  1. This is the problem with Linux Security by metrix007 · · Score: 3, Insightful

    Linux and Greg K-H have both gone on record saying that security issues are just another type of bug, and don't deserve any type of special treatment.

    This is crap. A bug that allows remote code execution or even a DoS is a much, much bigger issues than fixing the user experience or minor stability issues.

    When you don't assign the significant to security issues that they deserve, they go unpatched for 5 years.

    It's kind of a concern.

    --
    If you ignore ACs because they are anonymous - you're an idiot.
    1. Re:This is the problem with Linux Security by metrix007 · · Score: 3, Interesting

      To expand on this, not only do they not assign security bugs the priority they deserve, they actively hide them.

      http://arstechnica.com/securit...

      FWIW, I love Linux and used Slackware for almost a decade.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    2. Re:This is the problem with Linux Security by Anonymous Coward · · Score: 5, Interesting

      Well it can't be patched before it was discovered but you seem to be implying this issue was known about 5 years ago.

      How long from when it was discovered did it take to be patched?

    3. Re:This is the problem with Linux Security by waddgodd · · Score: 1, Insightful

      Well, in a normal situation, I'd say yes, but Linux's response to all bugs is similar, patch it as soon as there's a good patch. Now if it were a certain company in Redmond that scales its response based on customer "value", yeah, security bugs had best get fast-tracked. I honestly prefer the "fix all bugs and don't embargo fixes" response that linux does to the "when we discover bugs (heartbleed), we'll let the Cool Kids in on it first and then release it weeks later to the average user" response that Google does

      --
      Just because you're paranoid doesn't mean they aren't out to get you
    4. Re:This is the problem with Linux Security by naasking · · Score: 1

      A bug that allows remote code execution or even a DoS is a much, much bigger issues than fixing the user experience or minor stability issues.

      I agree security vulnerabilities are worse than simple bugs. However DoS is not. Our entire network infrastructure is already vulnerable to DoS, so vulnerabilities of this sort are just par for the course really.

      --
      Higher Logics: where programming meets science.
    5. Re:This is the problem with Linux Security by Wonko+the+Sane · · Score: 3, Interesting

      If the kernel developers allowed bugs to be clearly marked as security vunerabilities, then it would be trivial to use the Git commit history to identify the individuals who are merging these exploits into the kernel.

    6. Re:This is the problem with Linux Security by Microlith · · Score: 3, Insightful

      It's already trivial to do that. What would "clearly marking them as security vulnerabilities" gain?

    7. Re:This is the problem with Linux Security by wisnoskij · · Score: 3, Interesting

      I completely disagree. The reason I use a OS is because its features work and it doe snot crash all the time, I could not care less if it were 1% more secure.

      --
      Troll is not a replacement for I disagree.
    8. Re:This is the problem with Linux Security by Anonymous Coward · · Score: 5, Funny

      You know, Linux Torvaldx ix the guy who firxt xtarted writing the Linux kernel. He'x pretty famoux. I'm xurprixed you've never heard of him.

    9. Re:This is the problem with Linux Security by jcochran · · Score: 1, Troll

      The GIT entry for the bug was entered Dec 3, 2013. So that means at a minimum, the bug was known of and not fixed for 5 months. That's a bit excessive for 'A bug this serious only comes out once every couple years' kind of bug. I'll agree that 5 months is a lot shorter than 5 years, but it's still far too long.

    10. Re:This is the problem with Linux Security by ilotgov · · Score: 1

      Who is Linux agian?

    11. Re:This is the problem with Linux Security by Anonymous Coward · · Score: 1

      And by "GIT entry" you mean "CVE entry", which clearly says "Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."

      Look at the CVE entry. None of linked documents are earlier than last month.

    12. Re:This is the problem with Linux Security by Anonymous Coward · · Score: 3, Interesting

      Was it? Where? The git commit linked in the article is for 2014-05-03. Given the number of fixes and revisions this patch went through, one has to actually hunt it down in the MLs to know.

      So, can you please point us to the source of your information?

    13. Re:This is the problem with Linux Security by Anonymous Coward · · Score: 2, Informative

      There's no such thing as "GIT report" mentioned anywhere here, only GIT commits and they're too recent...

      Did you mean CVE? CVEs reservation dates don't correspond with bug discovery date - for example, CVE numbered one less than this one is not even created yet, but it lists the same "20131203" reservation date.

    14. Re:This is the problem with Linux Security by metrix007 · · Score: 2, Interesting

      You should read up some more on the clash between security professionals and the Linux maintainers.

      Some bugs are more critical than others, and hiding them not to get negative attention or (rightfully) be pressured to fix them is pretty bad.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    15. Re:This is the problem with Linux Security by naasking · · Score: 1

      I'm not referring to any specific DoS, just DoS as a general class aren't necessarily security vulnerabilities, ie. specific DoS vulnerabilities might also be security vulnerabilities, but being a DoS vulnerability does not automatically also make it a security vulnerability.

      --
      Higher Logics: where programming meets science.
    16. Re:This is the problem with Linux Security by metrix007 · · Score: 1

      Stability and security are not mutually exclusive.

      Although if you care about stability, then you should also care about security since many malicious attacks can affect stability.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    17. Re:This is the problem with Linux Security by dreamchaser · · Score: 1

      Any bug that allows a remote attacker to compromise a system, be it stealing data or denial of service, is a security vulnerability. All DoS vulnerabilities are security vulnerabilities by definition.

    18. Re:This is the problem with Linux Security by phantomfive · · Score: 1

      A bug that allows remote code execution or even a DoS is a much, much bigger issues than fixing the user experience or minor stability issues.

      You are right, but it doesn't apply in this case. This was a privilege-escalation exploit, which means you already need an account on the computer to do anything.

      It's still a problem and I'm willing to bet there are more of these in the Linux kernel, just because they're so tough to clean out.

      --
      "First they came for the slanderers and i said nothing."
    19. Re:This is the problem with Linux Security by Bite+The+Pillow · · Score: 1

      Your argument does not convince. Why reserve a CVE Id and sit on it for six months? Maybe there is a reason, I'm not familiar with how CVE internals work. Your argument is pointless without more support. Sounds like you don't understand the system you defend, which seems rather silly.

    20. Re:This is the problem with Linux Security by metrix007 · · Score: 1

      Excuse me, but what flamebait? I did not insult you or your argument, instead I made a valid counter argument.

      Oh, and my point wasn't that the maintainers are rude. My point is that the security industry keeps insisting the the Linux team practice responsible disclosure, and they keep arguing there is no need or benefit.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    21. Re:This is the problem with Linux Security by metrix007 · · Score: 1

      The examples I used in my post were just that, examples. They were not meant to be specific to this story, as I think the issue is greater than just this story.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    22. Re:This is the problem with Linux Security by MadTinfoilHatter · · Score: 1

      A bug that allows remote code execution or even a DoS is a much, much bigger issues than fixing the user experience or minor stability issues.

      May be. But this particular bug does not allow remote anything. It requires a local malicious user. PFTFCVELITS (Please Follow The Fine CVE Link In The Summary)

    23. Re:This is the problem with Linux Security by Bryan+Ischo · · Score: 4, Insightful

      Taking off-topic potshots against FOSS in response to a misinformed post which incorrectly describes the date of the bug report in response to a post which inaccurately maligns the attitude of kernel developers towards security bugs?

      For fuck's sake, we're three levels deep in FUD here. Someone throw me a rope so I can pull myself out of this quagmire of bullshit.

    24. Re:This is the problem with Linux Security by fizzer06 · · Score: 1

      My post contained the question.

    25. Re:This is the problem with Linux Security by tlhIngan · · Score: 1

      This was a privilege-escalation exploit, which means you already need an account on the computer to do anything.

      Any account would do. Even say, "nobody".

      All you need is the ability to run an arbitrary binary, which a buggy CGI script is more than adequate. Basically, if you have a bit of shellcode, that's sufficient. Once you have that going, then you can easily exploit your way to more priviledges.

      That said, for the time being we now have a good way to root our Android phones.

    26. Re:This is the problem with Linux Security by phantomfive · · Score: 1

      That said, for the time being we now have a good way to root our Android phones.

      .......until you reboot. Unless you can get at the bootloader.

      --
      "First they came for the slanderers and i said nothing."
    27. Re:This is the problem with Linux Security by Barsteward · · Score: 1

      i could accuse you of the same thing.. " I'm not familiar with how CVE internals work, my argument is pointless without more support." fixed it for you..

      --
      "The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
    28. Re:This is the problem with Linux Security by jones_supa · · Score: 1

      Although if you care about stability, then you should also care about security since many malicious attacks can affect stability.

      True, but most stability problems do not stem from malicious attacks.

    29. Re:This is the problem with Linux Security by The123king · · Score: 2

      Bugs can be ancient. anyone remember that Windows VDM bug that affected every version of Windows based on NT? How is this bug different?

      Bugs have to be found, you can't expect every bug to just be easy to find. That's how things like Heartbleed, and the VDM bug don't get discovered for years. I'm sure there's probably bugs almost as old as Linux itself in the kernel, and i'm almost certain there's bugs in Windows affecting everything from 3.1 up.

      But yes, i'd be very suprised if this bug was reported 5 years ago. It's not unheard of in the Linux world, but it really shouldn't be happening, and thankfully happens rarely (and when it does, Slashdot has a field day)

      --
      If you gave me a choice between a printer and a giraffe with explosive diarrhoea, i'll get my ladder and my raincoat
    30. Re:This is the problem with Linux Security by Threni · · Score: 1

      > This is crap. A bug that allows remote code execution or even a DoS is a much,
      > much bigger issues than fixing the user experience or minor stability issues.

      You're not a security professional. You should have to put that in your sig file. The linux kernel is used in many different situations, and clearly some security problems only pose a risk in some of those situations. IE. a lot of embedded systems will never be vulnerable to this particular issue.

      A bug is a bug. All bugs should be triaged and then treated accordingly. You don't pretend a bug is more important because security is the flavour of the month.

    31. Re:This is the problem with Linux Security by Eunuchswear · · Score: 1

      Yes, the chances are very good that a bug submitter is going to get a "patch or GTFO" response.

      Not my experience. If you report a serious bug wirth enough supporting information it's quite likely someone else will propose a patch.

      --
      Watch this Heartland Institute video
    32. Re:This is the problem with Linux Security by Wootery · · Score: 1

      A bug is a bug. All bugs should be triaged and then treated accordingly. You don't pretend a bug is more important because security is the flavour of the month.

      But a bug which can be exploited to give a security hole necessarily deserves a high priority, no?

      You're not a security professional

      don't pretend a bug is more important because security is the flavour of the month

      A bug which enables a remote attacker to compromise a server is necessarily a serious one, no? I really don't get what your point is with this flavour of the month thing.

    33. Re:This is the problem with Linux Security by naasking · · Score: 1

      You're missing the point: our network infrastructure is already DoS vulnerable. A remote DoS is just another drop in a full pool. To suggest that a DoS vulnerability "compromises" the remote system doesn't seem justified.

      --
      Higher Logics: where programming meets science.
    34. Re:This is the problem with Linux Security by metrix007 · · Score: 2, Interesting

      The OP does not inaccurately malign the attitude of the kernel develops towards security bugs. Their stance is widely known.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    35. Re:This is the problem with Linux Security by metrix007 · · Score: 1

      It contained nested quotes. I see no text that can be attributed to you.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    36. Re:This is the problem with Linux Security by kwbauer · · Score: 1, Informative

      Fact: FOSS proponents extremely frequently in the past claimed that OSS was security issue free because of all the review of the code that was happening.
      Fact: The code shipped 5 years ago according to the story.
      Fact: The story is about a security issue that shipped.

      Therefore, pointing out that the proponents of FOSS are full of shit because a bug shipped is not off-topic for a story about a bug shipping in open-source software.

      I was simply posting that the argument about when the bug was first reported is irrelevant as the OSS claim is that all bugs are found and fixed before ever shipping.

    37. Re:This is the problem with Linux Security by Mathinker · · Score: 1

      > Actually, I am a security professional, working for one of the largest security companies in the industry.

      Hm, let me guess. You work for Microsoft, in the team developing Microsoft Security Essentials?

    38. Re:This is the problem with Linux Security by Mathinker · · Score: 1

      > FOSS proponents extremely frequently in the past claimed that OSS was security issue free

      Nice strawman, there.

      Personally, I'd say that the only frequently claimed advantage claimed for FOSS in the past was that it was, then, so niche that no one would find it worthwhile to try to exploit. Times have changed, now. For example: Firefox, Chromium, and, I'd say, even desktop Linux isn't safe anymore according to that criterion (server Linux never was safe, since servers are such juicy targets).

    39. Re:This is the problem with Linux Security by metrix007 · · Score: 1

      No Sir. I said a security company. Not a company with a security department.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    40. Re:This is the problem with Linux Security by kwbauer · · Score: 1

      Sorry but your personal view is what others tried to point out as the advantage. The proponents claimed exactly what I wrote they claimed. Searching through Slashdot posts within the past 12 months find such claims.

      Personally, I agree with your position on why most FOSS code has been exploited; that just doesn't fit what many proponents were claiming.

    41. Re:This is the problem with Linux Security by kwbauer · · Score: 1

      Here is an example of just such a claim and it is very recent. http://it.slashdot.org/comment...

    42. Re:This is the problem with Linux Security by Mathinker · · Score: 1

      >> So yes, I think their safeguards and failsafes extend beyond Windows Update and Norton.
      >> Open sourcing their code reduces the black-box vulnerabilities well beyond that level to
      >> begin with.

      is the same as

      > FOSS proponents extremely frequently in the past claimed that OSS was security issue free

      eh?

      I could analogously argue that your logical ability (which seems small), is zero. But I won't.

      Small != zero, and conflating them can be a strawman argument, since it also means conflating their reciprocals.

    43. Re:This is the problem with Linux Security by hobarrera · · Score: 1

      Fact: FOSS proponents extremely frequently in the past claimed that OSS was security issue free because of all the review of the code that was happening.

      False. OSS proponents claim that OSS has less security issues than closed source software, and that they're easier to find and fix. Nobody ever stated that security bugs were completely inexistant. They're just fewer in number, and, usually, fixed faster.

    44. Re:This is the problem with Linux Security by dreamchaser · · Score: 1

      Fair enough, I think we're talking semantics here now. All I know is a lot of my clients do, and rightly so, consider DoS to be a security issue.

  2. Soooo..... by Anonymous Coward · · Score: 1

    'A bug this serious only comes out once every couple years.'

    ....in the time it took to fix this bug they got two more just as bad?

    One step forward, two steps back.

  3. 5-year-old allegations by turkeydance · · Score: 1

    are demotions or dismissal. let alone actual proof. in a four-year administration.

  4. Re:OpenBSD time... by cheater512 · · Score: 1

    Oh don't worry too much about it.

    It is only notable because everyone is desensitized about commercial software bugs.
    Compare it to Windows. How many patches do they make which are major or critical each year?

  5. This is the problem with Windows Security by Anonymous Coward · · Score: 1, Insightful

    count the # of remote exploits patches in each version of Windows and how many years between patches where the OS was vulnerable.

  6. Re:OpenBSD time... by vux984 · · Score: 1, Insightful

    Compared to Hartbleed and this, I don't know of any of similar critical level and impact.

    Any remotely exploitable bug that allows for remote code execution / priviledge escalation without user interaction is just as bad or worse.

    After all, heartbleed was "just" a remotely exploitable memory "leak"; but if you have remote code execution, you can scan the memory and send home anything interesting; to the same effect as heartbleed, plus anything else you might want to do once you are running on the system.

    Windows XP early on (until SP1 or 2?) was remotely exploitable in this way as I recall. And there have been other exploits just as bad over the years.

    Heartbleed was a big deal but its not singularly bad. There's been others before it.

  7. I gotta say by Anonymous Coward · · Score: 2, Funny

    a "doe snot crash" sounds pretty bad to me. Just sayin'. Do you have deer hanging around your computer?

    1. Re:I gotta say by tepples · · Score: 1

      Do you have deer hanging around your computer?

      Yeah, plenty of goldeer and even a few eldeer.

  8. Re:OpenBSD time... by metrix007 · · Score: 1

    OpenBSD is and mostly always has been a joke.

    "Secure by default" isn't the same as auditing a few core services and disabling the rest.

    They do a great job of maintaining OpenSSH though.

    --
    If you ignore ACs because they are anonymous - you're an idiot.
  9. I owe it all to Explain Like I'm Five by tepples · · Score: 1

    Would that be the result of a 5-year-old following Explain Like I'm Five for a while and becoming smarter than the average public school teacher (see recent story about public school failure)?

  10. 5 year old tempest in tty pot by stock · · Score: 3, Interesting

    The problem was well discussed in 2009 here : A tempest in a tty pot https://lwn.net/Articles/34382... The result was that after a heated debate, Alan Cox was blamed for allowing old code to stay because emacs would loose terminal output and Greg KH was simmoned to stepup as the TTY maintainer. The new TTY/PTY guys became James Simmons, the Frame-buffer guy and C. Scott Ananian, the former jack-of-all-trades for the One Laptop per Child Foundation. Curious enough it were not Linux server systems like RedHat Enterprise who have been vulnerable for almost 5 years, but the popular Linux desktop distro's like Ubuntu.

    1. Re:5 year old tempest in tty pot by Anonymous Coward · · Score: 1

      Curious enough it were not Linux server systems like RedHat Enterprise who have been vulnerable for almost 5 years, but the popular Linux desktop distro's like Ubuntu.

      Wrong. RHEL 5 isn't affected, it uses an old kernel. RHEL 6 is affected: https://bugzilla.redhat.com/sh...

      This issue does not affect the versions of the Linux kernel packages as shipped
      with Red Hat Enterprise Linux 5.

      This issue does affect the versions of the Linux kernel packages as shipped
      with Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG 2

  11. POC doesn't work here. by ralphtheraccoon · · Score: 5, Interesting

    I read through the POC, it seemed safe enough to play with, so I've tried it out on a few different servers here (CentOS & Debian Stable). On the CentOS boxes it dies before it even gets started trying to overflow into a tty, and on my Debian machine it's been going for 5 minutes (using up to 90% CPU, but still leaving the machine quite usable), and still hasn't got anywhere.

    This isn't quite the "instant ROOT ACCESS!" privilege escalation that scares keeps sysadmins up at night. (unless I'm missing something...)

  12. Must mention microkernels by Megol · · Score: 2

    As something like this would be impossible with the driver executing in an isolated process. Memory corruption would still be possible of course (unless the driver was written in a secure language) but it would be local.

    1. Re:Must mention microkernels by Megol · · Score: 1

      The L4 family, QNX, K42 and Nemesis/Expert shows that the kernel/userspace division is enough.

      In fact there are systems that doesn't have even two "rings" and are secure. One example is the Microsoft research Singularity that uses a secure programming language, another is the Go component design (can't find a link sadly) that uses segmentation combined with a light-weight processor abstraction for protection. There are many others.

      The L4 kernel have switching times as low as some hundred cycles between components (https://www.l4ka.org/126.php) and this could be lowered on current x86 processors that supports address space ids. K42 and Nemesis should be even more light-weight as they only transport the contents of registers (K42) or one data value (Nemesis) using mostly user-space management of communication.

  13. openbsd by astar · · Score: 2

    Openbsd defines any potential security issue as a bug. Emphasis potential. The interesting actual exploits these days are sometimes 15 unexploitable glitches strung together.

    The Linux kernel is oriented towards supporting all the cutting edge hardware. This is not going to make security very practical. Openbsd is, ah, stodgy. But what openbsd brags on is "no remote holes in the default install" not "no local exploits".

    I think that Linus cannot fix this sort of issue. Theo could take lessons from Linus on nasty around systemd but Linus has not been consistently nasty and I think it too late.

    Send Theo money.

  14. +1 -- must mention microkernels & even languag by Paul+Fernhout · · Score: 1

    As I suggested in this thread here in Dec 2012: http://developers.slashdot.org...
    "One thing of concern to me about this (not knowing the kernel communications culture or the previous interactions of Linus and this maintainer) is whether the Linux kernel (and development community) has maybe reached some point where old development methods are breaking down in trying to support an every growing monolithic kernel approach? I initially [resisted] using Linux in the 1990s because I knew there were alternative architectures available, like from QNX, Erlang, Actor, or Smalltalk, and I had hoped those alternatives would prevail. I started using GNU/Linux only when it seemed like the social momentum there was unstoppable. Thus my previous comment on "message passing" as perhaps a better architecture for software in the 21st century because if can help address theses issues of redundancy, modularity, and testability as ways to manage risk from complexity."

    It comes down to priorities. The Linux Kernel community seems to have historically prioritized maximum speed over things like security, reliability, ease-of-use, or even driver developer sanity (like statements of Linux leaders saying stuff like like APIs can be changed at will and it does not matter how much time it takes driver developers to deal with it). I'm not saying they don't care at all about these other issues, just that historically it was not a priority. If they did priorities these other things, then a message passing microkernel (more like QNX) makes more sense. Also, using a language with better bounds checking and such might also be valuable, however with a microkernel choice of language may not matter as much since most of the code for most drivers could be outside the kernel.

    Anger often comes from fear. What is Linus afraid of? A big worry must be kernel getting severely broken by some contribution, That's what really sets him off into profanity. The more code involved, the more likely that can happen. I would predict that the amount of profanity Linus needs to use to keep the Kernel team in order is a good inverse metric of Kernel design quality relative to current needs. :-) And I'd suggest the amount of profanity needed is growing given the current design and current community needs and it does not bode well. :-(

    Personally, at this point, I would *gladly* use a computer system that was half as fast but never crashed, never put my privacy or security at risk by bugs, never required a "recompile" just to install drivers, never had weird problems dues to incompatible versions of drivers it could not detect or manage, was ported easily to any hardware so it was truly universal, was easily upgradable indefinitely, was transparently networkable with other hardware running the same OS as one big virtual computer, which had a community of developers making new useful stuff instead of being pinned down by just keeping up with kernel API changes, and so on...

    One of the reason Linux on the desktop failed is because of all these things and the pain all these continual changes to a monolithic kernel cause a general user and what a pain in the butt it would be to get any hardware installed and configured. Linux had tremendous amounts of goodwill and human time devoted to it, but it seems much of that got wasted on dealing with a monolithic kernel which meant at best that Linux computers worked 30% faster (or as fast as next years models would otherwise) -- but only when they worked, which was painful enough that people just abandoned Linux on the desktop. That is true even people like me who ran Debian as a desktop for about five years and eventually got tired of all the random breakage and moved to the Mac (maybe regretting it a bit now with Apple's new annual OS releases and developers abandoning versions from just a year or two ago...) -- and while some of the break

    --
    A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.