zero day Update: How to fix the latest Linux and Android zero day flaw

[steven36]

This flaw isn't nearly as bad as first reported, but Linux administrators still need to fix it.

Israeli security firm Perception Point disclosed a Linux and Android security vulnerability. The company described it as a zero--day "local privilege escalation vulnerability in the Linux kernel." Which, it was, but that's not the full story.

 

What Perception Point didn't say was that after finding the hole, their discovery, CVE-2016-0728, had been sent up stream to be fixed by the Linux kernel developers. The only reason this was a "zero-day" was because Perception Point itself released an exploit once the patch was already well on its way.

 

Why would they do that? One ticked-off Linux security developer said, "it's all about selling their companies nobody has ever heard of for as much as possible. This way they get headlines and we get security headaches."

This, according to another programmer working on mediating the problem, is far from unique. "Security companies are always making a big deal of little problems for their own benefit."

In this case, this security hole could exploit Linux's keyrings facility. Keyrings are used to cache security data, authentication keys, and encryption keys. The breach attacks this functionality by duplicating a keyring object name from userspace. By itself, that's not too bad.

 

The trouble comes when the field used to store the object name's reference count overflows. There are no checks to keep this integer value from wrapping around to zero. Once that's done, an attacker can overwrite its memory and you're on your way to a privilege escalation exploit. In short, yes an ordinary user can gain superuser privileges.

That's bad, but it's not half as bad as it sounds. First, you need a user account to even start. At a minimum, an attacker would need to have a login and shell account on the target system. Joe Hacker simply trying to break into your system from outside can't do it.

 

In addition, for once this problem doesn't impact older systems. Only Linux distributions using the Linux kernel 3.10 or higher can be attacked. Linux 3.10 was released on August 2013.

 

 

Specifically the following distributions are theoretically vulnerable:

• CentOS Linux 7
• Debian Linux stable 8.x (jessie)
• Debian Linux testing 9.x (stretch)
• Fedora 21 and newer
• Scientific Linux 7
• openSUSE Linux LEAP 42.x and version 13.x
• Oracle Linux 7
• Red Hat Enterprise Linux (RHEL) 7
• SUSE Linux Enterprise Desktop 12
• SUSE Linux Enterprise Server (SLES) 12
• Ubuntu Linux 14.04 LTS (Trusty Tahr)
• Ubuntu Linux 15.04 (Vivid Vervet)
• Ubuntu Linux 15.10 (Wily Werewolf)

 

Even on these systems, the published exploit doesn't work. I've tried it myself on a Fedora 23 system with 8GBs of RAM. It eventually locked up the PC when it ran out of free memory. Others report finding this attack failed because of memory exhaustion.

 

While this could be used to attack Android devices running Android 4.4 or newer, it's a meaningless attack. First you'd need to have the device in hand. Next, you'd need more memory than I've ever seen on an Android gadget. Last but far from least, since even Perception Point admits that, "the full exploit takes about 30 minutes to run on Intel Core i7-5500 CPU." It would take over a day to run on an Android device. In short, there's a lot easier ways to root an Android smartphone or tablet.

 

In addition, many, if not most, Linux kernels have Supervisor Mode Execution Protection (SMEP) and/or Supervisor mode access prevention (SMAP) enabled. While both SMEP and SMAP security measures can be overcome, they add another layer of complexity to successfully exploiting the hole.

 

Still, the problem does need fixing. The patch is already available as source code. Most Linux distributions have already made the patch available. The one exception is Red Hat. As of January 20, Red Hat has not issued a patch. It is expected to be out momentarily.

 

One fix which will not work is to use the command:

# echo 1 > /proc/sys/kernel/keys/maxkeys

This only applies to user created keys, not root-created keys. Thus, this is not a real work around.

 

 

Instead, depending on your distribution, you should run the following commands from the shell:

Debian/Mint/Ubuntu

$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade

$ sudo reboot

Fedora/CentOS/RHEL (When released)

$ sudo yum update $ reboot

openSUSE or SLES

as the root user:

# zypper patch # reboot

While you should do this as soon as possible, don't sweat it too much. This is one exploit where there's been much ado about almost nothing.

 

Source

[steven36]

 

Quote

 

Google creates fix for zero-day kernel flaw, says effect on Android is greatly exaggerated

 

After being caught off guard by the disclosure of a serious flaw in the Linux kernel this week, Google has quickly developed a patch for Android and shared it with device manufacturers.

 

It might take weeks for device makers to start releasing firmware updates that include the fix, but that's not a huge problem since, according to Google's assessment, the flaw doesn't affect many Android devices to begin with.

 

The privilege escalation vulnerability allows attackers to gain full control over Linux-based systems if they have access to a limited account or trick users into running a malicious application. It was found by researchers from Israeli threat defense start-up Perception Point.

 

The researchers notified the Linux kernel maintainers and Red Hat in advance of publicly disclosing the issue Tuesday. However, they did not contact the Android security team, despite claiming that around 66 percent of Android devices are potentially vulnerable.

 

Their estimation was based on the fact that the flaw affects all Linux kernel versions from 3.8 forward, and that such vulnerable kernels are used in Android starting with version 4.4 (KitKat).

 

However, in the Android world a device's kernel version depends more on the manufacturer's choice than on the version of Android installed on it. Manufacturers don't necessarily update the kernel when creating firmware based on newer Android versions, especially for older devices.

 

Adrian Ludwig, Android's lead security engineer, puts the number of affected devices much lower than Perception Point.

 

"Many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in Linux kernel 3.8, as those newer kernel versions [are] not common on older Android devices," he said in a blog post.

 

Furthermore, according to Ludwig, devices that run Android 5.0 (Lollipop) and newer are protected even if they do use vulnerable kernels, because those Android versions have the Security-Enhanced Linux (SELinux) kernel module.

 

The Android SELinux policy in these versions prevents third-party applications from reaching the affected code, he said, adding that none of Google's Nexus devices are affected either.

 

This appears to contradict both the Perception Point researchers, who said that there are possible ways to bypass SELinux, and Red Hat, which said in its own advisory that SELinux does not mitigate this issue.

 

Ludwig said that the fix created by Google for this flaw, "will be required on all devices with a security patch level of March 1 2016 or greater."

 

However, this doesn't force manufacturers to integrate it until March 1 or even at all on older devices. They just won't be able to advertise a March 1 patch level on those devices.

 

The patch level is essentially a date string displayed in Android's settings under "About phone" which indicates that the firmware contains all Android security patches up to that date. It only exists in newer versions of Android.

 

http://www.cio.co.nz/article/592581/google-creates-fix-zero-day-kernel-flaw-says-effect-android-greatly-exaggerated/