Debian, a project made up of volunteers, has issued a patch for this flaw, and a few others, in a release detailed here. Big Linux companies like Red Hat and SUSE are yet to issue fixes.
Both Linux machines and Android devices could be theoretically affected by the bug which was disclosed by a team of researchers from the Israeli company, Perception Point.
The bug affects all versions of the kernel from 3.8 onwards. It allows for escalating local privileges to root status and is due to a flaw in the keyring facility which encrypts and retains information, encryption keys and certificates and provides them to applications.
All platforms, including ARM, are vulnerable and this differentiates the flaw from many others which only affect the x86 and AMD platforms. It means all Android devices with 3.8 kernels and above are affected and can be exploited by means of a malicious mobile app.
"Systems immune to the problem include those with kernels prior to 3.8, those whose kernels omit the keyring feature's code, and those protected by any of several hardening techniques (SELinux, SMEP, grsecurity/PaX, and SMAP)," he added.
Moen pointed out that SMEP (Supervisor Mode Execution Protection) and SMAP (Supervisor Mode Access Prevention) were hardware features built into many recent CPUs, so their protection was automatic.
"It's useful to ask what real-world needs are met by this kernel feature, initially introduced, in some form, around kernel version 2.6.20.," Moen said. "Not many needs, actually. In kernel source code configuration this is called the CONFIG_KEYS option and, described thus: 'This option provides support for retaining authentication tokens and access keys in the kernel'."
He said it seemed to be a feature intended to be used by certain network filesystems (OpenAFS, NFSv4) and encryption support code (MIT Kerberos, eCryptfs, the kernel's Extended Verification Module for checking file attributes for tampering), adding: "However, I'm pretty sure it's optional even for many of those usages."
Said Moen: "So, this is a quite serious bug for people who have unhardened 3.8 or later kernels compiled to be extremely featureful - not as serious as a remote exploit, but still serious. In theory, any 3.8 kernel compiled with 'CONFIG_KEYS=y' is vulnerable unless compiled with one of the hardening methods, but I notice that people are reporting that many such kernels fail to run the exploit code anyway, as you'll see here.
"As a point of interest, those of us who compile our own kernels deliberately omit many features – for speed, size, and security. The general rule is if you're not sure you need it, try leaving it out. Code not present cannot be attacked."
Russell Coker, a senior Debian developer and contributor to the SE-Linux kernel hardening project, said the advisory noted that 66% of Android devices were vulnerable, which was about what one would expect from any bug that affects recent kernels.
"Most Android devices have a very small support lifetime, some only receive a single update to the Android OS before they are abandoned by the manufacturer. So maybe half the Android devices in the field will never be patched to close this vulnerability.
"I expect that most users won't discard perfectly functional Android devices due to being insecure and will keep using them – including for internet banking etc. On the upside I expect that soon there will be a slew of packages that exploit this bug to root Android devices. It's a pity that the bug involves just system call access not access to /proc or something else that can be locked by a process running as root so it's probably impossible to close this without changing the kernel."
Russell said the lack of patches to Android devices was a serious issue for the Android ecosystem. "If you run an Android device that is not either very new or a Nexus, then you probably shouldn't do both Internet banking and play random games."
He added: "For servers the most obvious issue of local exploits is cracking servers that offer shell access. Some years ago the Debian project suffered a breach after one developer's workstation was cracked, the attacker connected to a Debian server from the workstation in question, cracked the server with a local root exploit, and then continued (see the above URL for details). There aren't as many servers offering shell access as there used to be but the servers that do tend to be important.
"The next issue for servers is that it's usually a lot easier to get non-root access than it is to get root access. An attacker who wants to compromise an ISP could start by trying to get one of their web servers to execute hostile code, if they can do that then they could run a local root exploit like this one and start doing some serious damage.
"Android devices usually can't easily have kernel bugs fixed because the kernel is signed. Servers often can't easily have kernel bugs fixed because the owners don't want to have downtime. For comparison if a bug was discovered in a common daemon such as Apache it would be much easier to replace the daemon with little downtime or change the configuration to mitigate the problem."