Slashdot Mirror

← Back to Stories (view on slashdot.org)

5-Year-Old Critical Linux Vulnerability Patched (threatpost.com)

Posted by EditorDavid on from the local-Linux-attacks dept.

msm1267 quotes Kaspersky Lab's ThreatPost: A critical, local code-execution vulnerability in the Linux kernel was patched more than a week ago, continuing a run of serious security issues in the operating system, most of which have been hiding in the code for years. Details on the vulnerability were published Tuesday by researcher Philip Pettersson, who said the vulnerable code was introd in August 2011.

A patch was pushed to the mainline Linux kernel December 2, four days after it was privately disclosed. Pettersson has developed a proof-of-concept exploit specifically for Ubuntu distributions, but told Threatpost his attack could be ported to other distros with some changes. The vulnerability is a race condition that was discovered in the af_packet implementation in the Linux kernel, and Pettersson said that a local attacker could exploit the bug to gain kernel code execution from unprivileged processes. He said the bug cannot be exploited remotely.
"Basically it's a bait-and-switch," the researcher told Threatpost. "The bug allows you to trick the kernel into thinking it is working with one kind of object, while you actually switched it to another kind of object before it could react."

30 of 68 comments (clear)

  1. Bug discovered, 4 days later, patch released. by Anonymous Coward · · Score: 5, Insightful

    The real story here, is that 4 days after the vulnerability was made known to the devs, a patch was released.

    1. Re:Bug discovered, 4 days later, patch released. by Abu+of+unruley+kids · · Score: 2

      ^ This

    2. Re:Bug discovered, 4 days later, patch released. by Kjella · · Score: 1

      The real story here, is that 4 days after the vulnerability was made known to the devs, a patch was released.

      Why? If no bad guys have found it the difference between four days or and three months is of little difference. If the bad guys have found it (or worse yet, planted it) the difference between five years and four days and five years and three months is also of little difference. Not the kind of casual bad guys that deal with cryptolockers and botnets and identity theft, if they found it you'd probably see it in the wild and exposed. But targeted attacks for industrial espionage and such could probably use it in narrow attacks for a long time before being spotted.

      --
      Live today, because you never know what tomorrow brings
    3. Re:Bug discovered, 4 days later, patch released. by Anonymous Coward · · Score: 1

      No. That's the story you want people to talk about as a distraction to the real story. "Look guys. As soon as someone bothered to actually check the code we fixed it so fast!!" SO FAST!!!

    4. Re:Bug discovered, 4 days later, patch released. by Abu+of+unruley+kids · · Score: 1

      Kernel code isn't blindly put in to the code base. Linus and his trusted few do a great job, at weaving out the garbage submissions, for the most part. They aren't as affective as OpenBSD, with their useful paranoid code audits. If your concerned about future instances like this. Please contribute your time, not your tears.

    5. Re:Bug discovered, 4 days later, patch released. by Anonymous Coward · · Score: 1

      I'd have to use Linux to be the one crying.

    6. Re:Bug discovered, 4 days later, patch released. by antdude · · Score: 1

      I don't see it for Debian stable/Jessie so far. :P

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    7. Re:Bug discovered, 4 days later, patch released. by Anonymous Coward · · Score: 1

      The point is the bad guys had no better visibility than everyone else, unlike closed source,where bad guys, by definition, will gladly steal the codebase or traffic in it, and the codemonkeys at the business are busy writing new code or fixing bugs that users have already found and complained enough about to go and do an audit of the code, which doesn't generate new income.

      The whole thing shows open source or closed the problem is identical. people generally aren't looking at the code from a security perspective except those few doing security research or bad actors, both of those groups have all the code access they require.

  2. Re:Not surprising by godrik · · Score: 2, Informative

    The amazing thing to me is that the linux kernel doesn't even have a testsuite like GCC or binutils (correct me if I'm wrong).

    There is a test suite here.

  3. bug cannot be exploited remotely by Anonymous Coward · · Score: 1, Insightful

    If an attacker is in the same room as your system, you're already pwnd.

    1. Re:bug cannot be exploited remotely by bill_mcgonigle · · Score: 3, Insightful

      If an attacker is in the same room as your system, you're already pwnd.

      This bug can't be exploited remotely. Other bugs can, to get a local user shell, then you stack this one on top.

      They're all problems.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    2. Re:bug cannot be exploited remotely by buchner.johannes · · Score: 1

      You could be ssh-d into the machine as a user, and this will give you root privileges. No physical proximity needed.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    3. Re:bug cannot be exploited remotely by KiloByte · · Score: 1

      In 99.9% cases, if you pwn that local user, you control everything that server is doing. Applies to client machines, too.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  4. The five year old ... by CaptainDork · · Score: 1

    ... is out of intensive care and is rocking the eye patch.

    --
    It little behooves the best of us to comment on the rest of us.
  5. Re:Not surprising by Anonymous Coward · · Score: 1, Interesting

    If you want to go this way, maybe gentoo could be considered a test suite, surely not archlinux.

    Peoples please stop praising arch for the wrong reasons.
    Namely here, arch delivers binaries and this for a quite restricted set of architectures
    Even with AUR, you ll get mainly peoples compiling for the same plateformes, with the same options, and mostly compiling apps not the kernel.

    Obviously posting as AC, with the number of arch fanboys, this will get downvoted to hell.

  6. Re:Not surprising by Anonymous Coward · · Score: 5, Interesting

    In my OS class during my UG CS degree we were writing a small OS. By the time we got to threading we were bitching about how hard it was in *nix so our prof cracked the hood on the Windows threading APIs... We collectively shut the hell up when we saw how hideous and needlessly complicated it was compared to what we were working with.

    It turns out that Linux has WAY less bugs than Windows or Mac despite being dreams and wishes...and this is with completely open code base. https://www.cvedetails.com/

    Windows is a colostomy bag of code in comparison and it you think you've found a way to improve some part Linux you should write up and submit a patch.

  7. Classic TOCTTOU by naasking · · Score: 3, Informative

    So basically, a classic, well known TOCTTOU vulnerability.

    --
    Higher Logics: where programming meets science.
  8. Haha oh man the excuses by ArchieBunker · · Score: 1, Insightful

    What happened to the "many eyes" argument? Oh yeah that died along with heartbleed and the old SSL codebase.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
    1. Re:Haha oh man the excuses by Tablizer · · Score: 1

      Need MORE eyes.

      Good security needs both careful design and more eyes.

      --
      Table-ized A.I.
    2. Re:Haha oh man the excuses by sjames · · Score: 1

      Part of the issue for this particular bug is that few really looked at it for a simple reason: You have to have CAP_RAW_PACKET in order to exploit it, and to get that you had to be root (until recently).

  9. Re: Not surprising by Anonymous Coward · · Score: 1

    Not everyone who dislikes Linux' design is a MS-shill. Could also be Andrew S. Tanenbaum.

  10. Re:Hiding in the code for years?! by Yvan256 · · Score: 1

    Mac user: Oh yeah? Let me see...
    (open Contacts application)
    Mac user: You're right, I don't know anyone named Jack.

  11. Ho hum by JustAnotherOldGuy · · Score: 1

    "He said the bug cannot be exploited remotely."

    In other words, "yawn". If you have physical access to a machine all bets are off.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  12. Spoiler warning by fibonacci8 · · Score: 1

    From the Shakespeare AU where Othello encounters the Wierd Sisters from Macbeth?

    --
    Inheritance is the sincerest form of nepotism.
  13. Did Microsoft paid to write article in such way? by NuclearCat · · Score: 2

    This bug need CAP_NET_ADMIN privileges, which are VERY rarely enabled for typical user, because they will let you screw network configuration and sniff on traffic (which is almost equal to root privileges in our networking days)

  14. Versions affected by gustygolf · · Score: 1

    In case anyone cares, this code was first introduced in Linux 3.2.

    This is for those of us who use uname -r to check their kernel version, not the year it was checked out from the kernel repos.

    --
    "Slow Down Cowboy! It's been 58 minutes since you last successfully posted a comment" -- slashdot, driving users away.
  15. Re:Not surprising by ebvwfbw · · Score: 1

    You have no idea what you're talking about. I started with it before it was even released in 1992. It's been very much tested and reviewed. That doesn't mean you catch everything. There are things that happen that you never anticipated. An error occurs. If you can exploit it, you might be able to do something unexpected such as take over the kernel space. If you do, tell them about it and we'll fix it. It's becoming very very hard to break out of that jail.

    This is in huge contrast to the Windows kernel. Just a patched up program loader that sucks and is full of holes. I have to manage both and I can tell you that Windows is really full of a LOT of holes. Even for things like group policies they distribute in the clear, even if it has a password in it such as for their laps product. I have to think they don't care about security. Just send a truckload of money to them.

  16. Re: Not surprising by jeremyp · · Score: 1

    He posts a successful rebuttal to your anonymous MS-shill bullshit

    The post which he allegedly rebutted doesn't say anything about Windows. So, no it was not a successful rebuttal.

    --
    All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
  17. Re:Not surprising by SivDotnet · · Score: 1

    So where's the great assertion that open source code is being eyeballed by millions of users so that it's intrinsically better than closed source as all these viewers would spot the error and report it or fix it if this has been in the kernel for many years and as yet unfixed.

    I think in reality Open source has many users but very few are capable of reading the code and spotting the errors any more than the equivalent Windows users are, so the whole premise that Open Source code is any better than closed source code is a fallacy!

    I think open source has been lucky to date that relatively few malicious hackers have spent time poking around in the code so it was the small numbers of target systems that was keeping the vulnerabilities down not the superiority of the code. I think open source needs to get off its high horse and get some serious security specialists to go through the code and identify the weaknesses and get the code fixed. Open SSL should have been the alarm bell that triggered this.

    Siv

    --
    Martley, Near Worcester UK.
  18. Re:Not surprising by sad_ · · Score: 1

    I think in reality Open source has many users but very few are capable of reading the code and spotting the errors any more than the equivalent Windows users are, so the whole premise that Open Source code is any better than closed source code is a fallacy!

    windows has many users, but very few are capable of reading code and spotting errors, too bad they can't fix it. At least on Linux, as few knowledgable people that may be using it, they have that option.

    --
    On a long enough timeline, the survival rate for everyone drops to zero.