This Linux/Android bug sure sounded bad.
The National Institute of Standards and Technology (NIST) and Symantec announced a LinuxKernel ipv4/udp.c bug that made the LinuxKernel 4.4 and earlier vulnerable to remote code-execution. In turn, an attacker could exploit this issue to execute arbitrary code. Worse still, even failed exploits might cause denial-of-service attacks.
There's only one problem with this analysis and the resulting uproar: It's wrong.
Yes, the bug existed. NIST described it as a "critical" bug, and its description makes it sound like it can open Linux and Android-powered devices to attacks via UDP network traffic. The important phrase is "sound like."
To be effective, the attack required the vulnerable machine to be running software receiving data using the system call recv() and MSG_PEEK. Then, and only in this particular combination of circumstances, could a hacker attempt to trigger another operation, a second checksum function, that might lead to a root-level attack.
However, Google's Linux expert Eric Dumazet discovered and fixed this bug on January 2016. Can you say old news? I knew you could.
In addition, while several sources claim older Linux kernels are vulnerable to the bug, Dumazet wrote that: "Whoever said that Linux < 4.5 was vulnerable made a mistake." Linux 4.5 was released in March 2016, after the bug was fixed. Therefore, there's a handful of Linux distributions that might be vulnerable to an attack using the network protocol.
Or, as Dumazet explained to make it painfully clear: "Only old versions that had the backport of 89c22d8c3b27 ("net: Fix skb csum races when peeking") needs the backport of 197c949e7798fbf28cfadc6. So either revert 89c22d8c3b27 backport, or backport my 197c949e7798fbf28cf. Or, do nothing at all if your kernel never had the problematic backport."
Besides that, very few programs ever use MSG_PEEK. These include the Nginx web server, wget, and, ironically, the Mirai botnet. Cases where the bug both exists and can be exploited are vanishingly small.
As Alan Cox, senior Linux kernel developer and one of udp.c's programmers, remarked: "Not sure it's as exploitable as claimed." Linux security researcher Dan Rosenberg tweeted: "I have reviewed the relevant code and I mostly understand it, but I'm missing the security ramifications." And, Hagen Paul Pfeifer, a senior development expert for Network Protocol Software, put it more bluntly, "Fake news, fake bugs."
The bug also exists in Android and it was only fixed in Google April 2017's patch release. That said, I know of no major Android applications that use MSG_PEEK. It is, as mentioned on Ycomb, a very rarely used routine on any platform.
Last, but not least, it's common firewall practice to block UDP traffic.
This security hole appears to be much ado about nothing. It sounds bad, but the closer you look at it, the harder it is to find even an edge case where it might be exploited.
That said, you should always patch your systems and keep your eyes open for vulnerability news. Just because this udp.c bug turned out to be a soggy firework, doesn't mean that the next one won't explode on you.
- Old Linux kernel security bug bites
- Linus Torvalds on SHA-1 and Git: 'The sky isn't falling'
- Three serious Linux kernel security holes patched