11-Year-Old Vulnerability Undergoing Fix

Friday, February 24, 2017 @ 03:02 PM gHale


A serious locally exploitable vulnerability in the Linux kernel that is 11 years old is now in the process of getting fixed, a researcher said.

The 11-year-old flaw ended up addressed in the kernel and Linux distributions are working on releasing patches.

RELATED STORIES
Industrial Malware Focuses on Linux
ICS Lookout: New Ransomware in Town
Russians Compromise U.S.: Report
Securing Against Disguised Data

The weakness is a double-free vulnerability tracked as CVE-2017-6074.

The issue ended up discovered by Google software engineering intern Andrey Konovalov using syzkaller, an open source Linux fuzzer developed by the tech giant.

The Datagram Congestion Control Protocol (DCCP) implementation for Linux suffered from the issue since the release of version 2.6.14 in October 2005.

The vulnerability allows an unprivileged process to execute arbitrary code within the kernel, Konovalov said. Affected Linux distributions said the flaw can end up exploited for privilege escalation or denial-of-service (DoS) attacks.

The vulnerability ended up reported to Linux kernel developers on February 15 and a fix released within two days. Linux distributions learned about the flaw on February 18 and they are working on patches.

Fixes already released for Ubuntu, and Red Hat mitigated the vulnerability using recent versions of SELinux.



Leave a Reply

You must be logged in to post a comment.