Wednesday, 20 January 2016 16:07

Debian issues patch for widespread Linux flaw Featured

By

Only one major GNU/Linux distribution — Debian — has so far issued a patch to fix a bug in the kernel dating back to late 2012 which has been widely reported with a measure of hype.

Debian, a project made up of volunteers, has issued a patch for this flaw, and a few others, in a release detailed here. Big Linux companies like Red Hat and SUSE are yet to issue fixes.

Both Linux machines and Android devices could be theoretically affected by the bug which was disclosed by a team of researchers from the Israeli company, Perception Point.

The bug affects all versions of the kernel from 3.8 onwards. It allows for escalating local privileges to root status and is due to a flaw in the keyring facility which encrypts and retains information, encryption keys and certificates and provides them to applications.

All platforms, including ARM, are vulnerable and this differentiates the flaw from many others which only affect the x86 and AMD platforms. It means all Android devices with 3.8 kernels and above are affected and can be exploited by means of a malicious mobile app.

Veteran Linux sysadmin Rick Moen said the bug allowed a hostile local process on any Linux kernel 3.8 or later (that includes a cryptographic "keyring" feature as furnished in 3.8 and later) to escalate privilege to root authority, by taking advantage of a coding error in the handling of the keyring.

"Systems immune to the problem include those with kernels prior to 3.8, those whose kernels omit the keyring feature's code, and those protected by any of several hardening techniques (SELinux, SMEP, grsecurity/PaX, and SMAP)," he added.

Moen pointed out that SMEP (Supervisor Mode Execution Protection) and SMAP (Supervisor Mode Access Prevention) were hardware features built into many recent CPUs, so their protection was automatic.

"It's useful to ask what real-world needs are met by this kernel feature, initially introduced, in some form, around kernel version 2.6.20.," Moen said. "Not many needs, actually. In kernel source code configuration this is called the CONFIG_KEYS option and, described thus: 'This option provides support for retaining authentication tokens and access keys in the kernel'."

He said it seemed to be a feature intended to be used by certain network filesystems (OpenAFS, NFSv4) and encryption support code (MIT Kerberos, eCryptfs, the kernel's Extended Verification Module for checking file attributes for tampering), adding: "However, I'm pretty sure it's optional even for many of those usages."

Said Moen: "So, this is a quite serious bug for people who have unhardened 3.8 or later kernels compiled to be extremely featureful - not as serious as a remote exploit, but still serious. In theory, any 3.8 kernel compiled with 'CONFIG_KEYS=y' is vulnerable unless compiled with one of the hardening methods, but I notice that people are reporting that many such kernels fail to run the exploit code anyway, as you'll see here.

"As a point of interest, those of us who compile our own kernels deliberately omit many features  for speed, size, and security. The general rule is if you're not sure you need it, try leaving it out. Code not present cannot be attacked."

Russell Coker, a senior Debian developer and contributor to the SE-Linux kernel hardening project, said the advisory noted that 66% of Android devices were vulnerable, which was about what one would expect from any bug that affects recent kernels.

"Most Android devices have a very small support lifetime, some only receive a single update to the Android OS before they are abandoned by the manufacturer. So maybe  half the Android devices in the field will never be patched to close this vulnerability.

"I expect that most users won't discard perfectly functional Android devices due to being insecure and will keep using them – including for internet banking etc. On the upside I expect that soon there will be a slew of packages that exploit this bug to root Android devices. It's a pity that the bug involves just system call access not access to /proc or something else that can be locked by a process running as root so it's probably impossible to close this without changing the kernel."

Russell said the lack of patches to Android devices was a serious issue for the Android ecosystem. "If you run an Android device that is not either very new or a Nexus, then you probably shouldn't do both Internet banking and play random games."

He added: "For servers the most obvious issue of local exploits is cracking servers that offer shell access. Some years ago the Debian project suffered a breach after one developer's workstation was cracked, the attacker connected to a Debian server from the workstation in question, cracked the server with a local root exploit, and then continued (see the above URL for details). There aren't as many servers offering shell access as there used to be but the servers that do tend to be important.

"The next issue for servers is that it's usually a lot easier to get non-root access than it is to get root access. An attacker who wants to compromise an ISP could start by trying to get one of their web servers to execute hostile code, if they can do that then they could run a local root exploit like this one and start doing some serious damage.

"Android devices usually can't easily have kernel bugs fixed because the kernel is signed. Servers often can't easily have kernel bugs fixed because the owners don't want to have downtime. For comparison if a bug was discovered in a common daemon such as Apache it would be much easier to replace the daemon with little downtime or change the configuration to mitigate the problem."

NEW OFFER - ITWIRE LAUNCHES PROMOTIONAL NEWS & CONTENT

Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.

POST YOUR NEWS ON ITWIRE NOW!

MITIGATE FRAUD WITH HYLAND’S DIGITAL CREDENTIALING SOLUTION

Some of the most important records are paper-based documents that are slow to issue, easy to fake and expensive to verify.

Digital licenses and certificates, identity documents and private citizen immunity passports can help you deliver security and mobility for citizens’ information.

Join our webinar: Thursday 4th June 12 midday East Australian time

JOIN WEBINAR!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & WEBINARS

REVIEWS

Recent Comments