Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious Linux Kernel Vulnerability Patched (threatpost.com)

Posted by timothy on from the those-famous-many-eyes dept.

msm1267 writes: A patch for a critical Linux kernel flaw, present in the code since 2012, is expected to be pushed out today. The vulnerability affects versions 3.8 and higher, said researchers at startup Perception Point who discovered the vulnerability. The flaw also extends to two-thirds of Android devices, the company added. An attacker would require local access to exploit the vulnerability on a Linux server. A malicious mobile app would get the job done on an Android device. The vulnerability is a reference leak that lives in the keyring facility built into the various flavors of Linux. The keyring encrypts and stores login information, encryption keys and certificates, and makes them available to applications. Here's Perception Point's explanation of the problem.

6 of 85 comments (clear)

  1. Well, let's see how Google fixes this by cerberusss · · Score: 4, Interesting

    Well, let's see how Google fixes this... Although Lollipop (5.0) has been out since june 2014, I can still order for example the HTC Desire 310 which comes with Jellybean (4.2).

    How are all of these Android versions in the wild going to get fixed?

    --
    8 of 13 people found this answer helpful. Did you?
    1. Re:Well, let's see how Google fixes this by serviscope_minor · · Score: 4, Insightful

      How are all of these Android versions in the wild going to get fixed?

      Haha they're not!

      Welcome to the new way of doing things. Updates are for old fuddy duddies.

      --
      SJW n. One who posts facts.
    2. Re:Well, let's see how Google fixes this by serviscope_minor · · Score: 4, Insightful

      Unless you're driving a somewhat recent Nexus...then you'll get an update fairly quickly.

      I have a Nexus 4. It's still very much functional, but it's been EOL since May 2015, a scant 2.5 years after it was first released. By contrast my 8 year old eee 900 is happily running the latest version of everything.

      I'm typing this from my W510 laptop (at work---yay for slacking) which is now amazingly approaching 6 years old. It works great. It's running a 2 year old version of ubuntu (14.04 LTS) which will continue to be supported for another 3 years. However, I'll almost certainly upgrade to 16.04 and the laptop will keep on trucking (the 16G of RAM has stopped it aging badly) for many years to come.

      The state of mobile phones is beyond pathetic, compared to what we had for PCs.

      --
      SJW n. One who posts facts.
  2. Serious Linux Kernel Vulnerability Patched by Anonymous Coward · · Score: 5, Funny

    I don't run Serious Linux, so I'm fine.

  3. Re:Question by castionsosa · · Score: 4, Informative

    One of the biggest things, is ensuring the data isn't swapped to disk in an unencrypted format.

  4. Re:Question by ArsenneLupin · · Score: 5, Informative

    Why does the kernel need to store login info, certificates, and the like?

    While the question is legit, it has nothing to do with the bug.

    The bug is a reference counting issue, where an attacker can trick the kernel to release a buffer and reallocate it to another purpose, while the original process still holds a reference to it. That process can then abuse its reference (from the old purpose) to mess with the buffer (in its new purpose) in such a way that it obtains root privileges.

    It just happens that the original purpose was indeed about key management. But the bug would work just the same way if that purpose was something else. And the vulnerability even exists if this kernel feature is not used at all. It is not about disclosure of keys or anything like this.