Linux Kernel Bug Making Rounds

Monday, May 20, 2013 @ 06:05 PM gHale


An exploit released that proves that normal, logged-in users can gain root access to the Linux kernel via an incorrectly fixed declared pointer.

It all started back in April, when Linux kernel developers fixed an incorrectly declared pointer in the Linux kernel. The problem is, in their rush to fix the issue, they apparently overlooked the potential security implications of the bug, since fact it is possible to gain access to almost any memory area using a suitable event_id.

RELATED STORIES
Stealthy Server Malware Spreading
Multistage Attack Proves Fruitful
Apache Backdoor Leads to Blackhole
Firewall Hole Found, Patched

After realizing the problem, the developers declared the bug as an official security hole (CVE-2013-2094) after the exploit released that proves that normal, logged-in users can gain root access this way.

The bug affects any kernel version between 2.6.37 and 3.8.9 compiled using the PERF_EVENTS option; apparently, this is the case with many distributions. Which exact distributions suffer from the issue will soon become clear when the relevant security updates release. Linux security expert Brad Spengler released a detailed exploit analysis.

Meanwhile, the Ubuntu Security Team closed the vulnerability with updates to Ubuntu 13.04, 12.10, 12.04 LTS and in the Hardware Enablement Kernel for Ubuntu 12.04 LTS based on the Ubuntu 12.10 kernel. The developers caution users that due to ABI changes in the kernel update, all third party modules installed with these kernels have to undergo recompiling and reinstallation. Users who use the linux-restricted-modules package will have to update this package as well, which will happen automatically on systems that include the standard kernel meta packages.

Red Hat said Red Hat Enterprise Linux (RHEL) 4 and 5 do not suffer from the problem. RHEL 6 and Red Hat Enterprise MRG 2, however, do and until the company releases updates that fix the issue, Red Hat recommends mitigating the security risks and gives instructions how to do so on a page on its customer portal web site.

The Debian developers are also working to fix the problem. At the time of writing, Debian stable (Wheezy) and testing (Jessie) are both vulnerable to the exploit, Debian unstable (Sid) is not vulnerable. The fixed kernel package is available in the security update repository for Wheezy, however, and should have an update in the main distribution repository soon.



Leave a Reply

You must be logged in to post a comment.