linux kernel Serious Linux Kernel Vulnerability To Be Patched

[steven36]

A patch for a critical Linux kernel flaw, present in the code since 2012, is expected to be pushed out today. The vulnerability affects versions 3.8 and higher, said researchers at startup Perception Point who discovered the vulnerability. The flaw also extends to two-thirds of Android devices, the company added.

 

“It’s pretty bad because a user with legitimate or lower privileges can gain root access and compromise the whole machine,” Yevgeny Pats, cofounder and CEO of Perception Point. “With no auto update for the kernel, these versions could be vulnerable for a long time. Every Linux server needs to be patched as soon the patch is out.”

 

Pats said an attacker would require local access to exploit the vulnerability on a Linux server. A malicious mobile app would get the job done on an Android device (Kit-Kat and higher), he said. Pats added that exploitation of the flaw is fairly straightforward, but it’s unknown whether it’s been attacked to date.

 

“The fix was simple,” Pats said. “The problem is not all devices Linux get patched automatically.”

 

The vulnerability, CVE-2016-0728, lives in the keyring facility built into the various flavors of Linux. The keyring encrypts and stores login information, encryption keys and certificates, and makes them available to applications. In a report published by Perception Point, researchers said the vulnerability is a reference leak that can be abused to ultimately execute code in the Linux kernel.

 

“User space applications give [keyring] the option to manage the crypto keys,” Pats said. “The user doesn’t have to manage keys; the OS does it for the application. Apps use it for security reasons. When they want to apps to work with crypto, they use this feature. The feature has kernel access; the OS gives the userland app the ability to use this feature. The problem is that the code runs in the kernel.”

 

Pats said that SMEP (Supervisor Mode Execution Protection) and SMAP (Supervicor Mode Access Protection) make exploitation difficult on Linux servers, while SELinux does the same for Android devices. SMEP and SMAP are relatively new features that prevent the kernel from accessing and executing code from userland.

 

The flaw may linger a little longer on Android devices, since most updates are not pushed automatically by carriers and manufacturers. Android is built upon the Linux kernel, but customized without many of the libraries that accompany standard Linux builds.

 

Perception Point published a technical analysis of the vulnerability and how to exploit it, including proof-of-concept code published to its Github page.

 

Source

[steven36]

 

Quote

 

Zero-Day Flaw Found in 'Linux Kernel' leaves Millions Vulnerable

 

A new critical zero-day vulnerability has been discovered in the Linux kernel that could allow attackers to gain root level privileges by running a malicious Android or Linux application on an affected device.

 

The critical Linux kernel flaw (CVE-2016-0728) has been identified by a group of researchers at a startup named Perception Point.

 

The vulnerability was present in the code since 2012, and affects any operating system with Linux kernel 3.8 and higher, so there are probably tens of millions of computers, both 32-bit and 64-bit, exposed to this flaw.

 

However, the most bothersome part is that the problem affects Android versions KitKat and higher, which means about 66 percent of all Android devices are also exposed to the serious Linux kernel flaw.

 

Impact of the Zero-Day Vulnerability

 

An attacker would only require local access to exploit the flaw on a Linux server.

 

If successfully exploited, the vulnerability can allow attackers to get root access to the operating system, enabling them to delete files, view private information, and install malicious apps.

"It's pretty bad because a user with legitimate or lower privileges can gain root access and compromise the whole machine," Yevgeny Pats, co-founder and CEO at security vendor Perception Point, said in a blog post published today.

"With no auto update for the kernel, these versions could be vulnerable for a long time. Every Linux server needs to be patched as soon the patch is out."

Usually, flaws in Linux kernel are patched as soon as they are found; therefore, Linux-based operating systems are considered to be more secure than others. However, zero-day vulnerability recently discovered in the Linux kernel made its way for almost 3 years.

 

The Cause of the Critical Linux Kernel Vulnerability

 

The vulnerability is actually the result of a Reference Leak in the keyrings facility built into various flavors of Linux. The keyrings facility is primarily a way to encrypt and store login data, encryption keys and certificates, and then make them available to applications.

 

However, a reference leak could be abused by attackers to ultimately execute arbitrary code in the Linux kernel.

 

So far, the researchers said, no exploits have been discovered in the wild that take advantage of this vulnerability.

 

Perception Point has provided a technical analysis of the vulnerability and how one can exploit it, including proof-of-concept (PoC) exploit code published on its Github page.

 

Patch Expected to Roll Out Soon

 

The good news is that Perception Point has already reported the flaw to the Linux team, and patches are expected to roll out today to devices with automatic updates.

 

However, it may take a little longer on Android devices to receive the patch, given the fact that most updates aren’t pushed automatically by manufacturers and carriers.

 

http://thehackernews.com/2016/01/linux-kernel-hacker.html

 

 

 

[vibranium]

This is a glorious hole for hackers to walk through. Unpatched Android devices will be very vulnerable.

 

For reasons like this I never do any money transactions on my Android device.

[steven36]

Just now, vibranium said:

This is a glorious hole for hackers to walk through. Unpatched Android devices will be very vulnerable.

 

For reasons like this I never do any money transactions on my Android device.

Already been patched on my 2 Linux distros