Word up to Linux fan boys: Multiple Linux flaws show that Linux also has kernel issues

Word up to Linux fan boys: Multiple Linux flaws show that Linux also has kernel issues

Summary: Not to defend Microsoft, as kernel exploits that provide privileged access are terrible flaws, but we had an interesting discussion in the talkbacks where several people acted as if Microsoft was the only place that could've made such mistakes.  Well, the proof is in the pudding that this is a common flaw across operating systems that is difficult to catch due to the complexities of kernel code.

SHARE:

Not to defend Microsoft, as kernel exploits that provide privileged access are terrible flaws, but we had an interesting discussion in the talkbacks where several people acted as if Microsoft was the only place that could've made such mistakes.  Well, the proof is in the pudding that this is a common flaw across operating systems that is difficult to catch due to the complexities of kernel code.

Dann Frazier of Debian posted to Full Disclosure today about four vulnerabilities that allow local (this means you can't do it over the Internet, unless you've already compromised a user account in some way remotely, the same applied to the Windows flaw that I spoke of, but there were questions around what exactly local meant, it does not mean you have to sit at the box physically) attacks against the kernel that result in arbitrary code execution or Denial of Service conditions.  The contents of his email are posted below: 

CVE Id(s): CVE-2007-6694 CVE-2008-0007 CVE-2008-1294 CVE-2008-1375

Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-6694

Cyrill Gorcunov reported a NULL pointer dereference in code specific to the CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial of Service (DoS).

CVE-2008-0007

Nick Piggin of SuSE discovered a number of issues in subsystems which register a fault handler for memory mapped areas. This issue can be exploited by local users to achieve a Denial of Service (DoS) and possibly execute arbitrary code.

CVE-2008-1294

David Peer discovered that users could escape administrator imposed cpu time limitations (RLIMIT_CPU) by setting a limit of 0.

CVE-2008-1375

Alexander Viro discovered a race condition in the directory notification subsystem that allows local users to cause a Denial of Service (oops) and possibly result in an escalation of privileges.

For the stable distribution (etch), this problem has been fixed in version 2.6.18.dfsg.1-18etch3.

The unstable (sid) and testing distributions will be fixed soon.

We recommend that you upgrade your linux-2.6, fai-kernels, and user-mode-linux packages.

Some of these look to be pretty serious bugs.  The two newest do not have security focus entries yet, but as far as I'm aware there currently exists no public exploit code for this, which is a good thing.  It's also important to note, but this should be obvious, this doesn't just affect Debian, it's simply that the advisory came from Debian's folks today... so make sure you're fixing your system up, whatever *Nix flavor you like.

-Nate

Topics: Security, Linux, Microsoft, Open Source, Operating Systems, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

186 comments
Log in or register to join the discussion
  • The interesting things are :

    1) How quickly they'll be fixed and updates made available.
    2) The open reporting of the flaws.
    fr0thy2
    • RE: Fr0thy2

      Actually, one of them was reported way back in January (http://www.securityfocus.com/bid/27555), but yes, I do agree that they are fixed much faster and that *Nix is more forthcoming about their fixes... although Windows is doing a better job of both than they had in the past.
      nmcfeters
      • When you study the most successful Windows attacks...

        you will find that they were either socially engineered attacks or they used flaws that were patched weeks/months earlier. I'm [b]not[/b] saying that quick patching isn't desirable, it obviously is, I'm just saying that empirically speaking, it isn't as important a metric as some try to make it out to be.
        NonZealot
        • Socially engineered botnets?

          Are you sure? LOL
          fr0thy2
          • ayep

            How do you think some of those SCR based (as in, SCR extension, which is Screen saver) viruses get on people computer? Someone gets an email that says "Hey look at my cool new pics" and being n00blets, they click on the attachment and open it. WHALLAH, Socially engineer botnet.
            ivanotter
          • Yepz

            Good example.
            nmcfeters
          • as a compgeek

            I see it all the time. And get lots of them. Primarily i see them mostly on AOL.
            ivanotter
        • That's actually good point and pointed out here on ZDnet...

          :-)
          ItsTheBottomLine
      • Now you just gave MS a compliment foamy will have a problem with that ...nt

        :-)
        ItsTheBottomLine
    • Same tired excuse from the zealots...

      Get over it. Linux is not more secure than Windows. Never has been. It's continuing obscurity is its only advantage.
      transposeIT
      • Same selective memory from fanboyz

        http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up
        starcannon99022@...
        • I take the middle road

          Most security issues that happen nowadays are user, not always the Software. Any computer that is on the next will never 100% be secure, be it Linux, Apple, Windows, hell OS/2. There are holes SOMEWHERE in their complexity.
          ivanotter
          • This is NO news

            Only way to have a secured computer is to put it into a transport container, unplug all cables that goes outside, fill it with cement and drop it in the deepes sea you can find.
            Then it is 100% secured, for a while...

            And OS is software, and it is proven impossible to make bugless code for any interesting program.

            The problem is that MicroSoft for 20 or so years has ignored even basic security routines, best practice and knowled in exchange for "usability", as if it could not be combined...

            This is the problem.

            That comes from those who have teached computer users that viruses, trojans, increasingly slower computers (register anyone), 5 years plans and blue screen of death is normal things in the computer industry.
            Jxn
        • Bw as it my imagination...

          Or was the flaw that compromised Windows not a VISTA flaw, but an ADOBE flaw?
          ivanotter
          • That's right

            They used an Adobe flaw to compromise the Vista machine. It's clear that patching the OS is simply not enough - the more software you run the greater the risk that you're adding more security holes in spite of all the patching and updating.
            eMJayy
          • Well, that is the method

            MicroSoft zelot use to have linux count as many flaws, or more than MS Windows (not saying that you are one).

            So lets count the applications that you can install into OS as OS security faults.
            Jxn
        • Which if you read my write-up...

          is actually a cross-platform exploit and probably would've been easier to exploit on the *Nix or Mac environments since you wouldn't have had to bypass DEP protections, which is what took the most time for the research team to do.

          -Nate
          nmcfeters
          • While were speculating

            I am left wondering if what your saying would actually work, why then wasn't the nix box taken down, there was certainly enough money on the line to make it worth the bother.

            I do not have an Ivory Tower complex. Truly my only issue with this article is it comes off as a sour grapes piece, I would really have liked to have been informed on current security issues with the most common current kernel. As it sits thought, I knew as soon as I saw the headline in my ZDnet news letter that it was going to be a meaningless bash, even then it didn't occur to me that some one would use an outdated kernel. The kernel you used for your reference 2.6.18 is from 09/20/2006, the current common stable kernel 2.6.24 is from 01/24/2008.

            The last kernel I used was the 2.6.22, it is possible that there are people out there using that old kernel you referenced in your article, but its unlikely unless they have a specific reason, and I would also while were conjecturing reason that they would have run appropriate patches to keep the security maintenance up to date.

            Anyway, thanks for an article that lived up to its headline. I'll read you a few more times, but if its going to be more sensationalizing of outdated issues, then I'll just move on.
            starcannon99022@...
          • Point taken

            To your first point, you say:
            "I am left wondering if what your saying would actually work, why then wasn't the nix box taken down, there was certainly enough money on the line to make it worth the bother."

            The reason is that a cross-platform flaw can only be used once. So, even if the author had working shell code for the Nix machine as well, he couldn't use it on both and get the same reward, so why bother putting in all the extra time? I actually interviewed the two that found this issue on the blog some time ago and they pointed out that they had had working exploit code for the Windows environment which they had finished before the show, and that was what they used. In the end, Windows suprised them as the machine went to Vista SP 1, and therefore Alex Sotirov had to come over to do some ActionScript kung-fu to help out.

            I tend to get excited and sensationalize a bit, part of being passionate about what you do.

            Honestly, at the time of writing I didn't realize the kernel was from 2006, but in any case, I had used it simply to point out these issues exist in Linux too. I will tell you though that from my experience, a lot of companies do not keep their kernels up to date... in response to one of your other posts I mentioned that I just did work for a client that had their servers at 2.4... it was a Fortune 500 company.

            Sad.

            -Nate
            nmcfeters
          • Confused about versions

            Nate,

            1) Local vulnerabilities in a kernel are extremely common. This news about the Linux kernel comes as a surprise to no on who actually knows about Linux. They happen, but they aren't that dangerous and are fixed relatively quickly. Remote exploits, however, are EXTREMELY dangerous and are very rare on Linux.

            2) You just did work for clients with servers that use 2.4 kernel. This means nothing. The 2.4 kernel is still updated and receives security patches. The latest 2.4 version of the Linux kernel is 2.4.36.3, updated on 2008-04-19 14:41 UTC(from kernel.org), meaning that it's up-to-date.

            Even if a client is using an old version of a kernel, security fixes are often backported by the vendor, so a 2.4.20 kernel may be fully patched by e.g. RHEL.

            In truth, very few companies run unpatched kernels, especially when remote exploits become available.
            daengbo