X
Tech

Highly exploitable Linux kernel bug found, patched

The vulnerability, a patch for which has already been made available, affects most versions of the Linux kernel since 2001
Written by David Meyer, Contributor

A hole has been found in Linux kernel versions stretching back eight years that is 'as trivial as it can get to exploit', according to the Google employees who discovered it.

Julien Tinnes and Tavis Ormandy, the security researchers who discovered the vulnerability, have already issued a patch for the flaw. According to a blog post written by Tinnes on Thursday, the hole "affects all 2.4 and 2.6 kernels since 2001 on all architectures", and is "the public vulnerability affecting the greatest number of kernel versions".

While the kernel hole allows only local privelege escalation, the vulnerability is widespread, said the researchers.

"The issue lies in how Linux deals with unavailable operations for some protocols. sock_sendpage and others don't check for Null pointers before dereferencing operations in the ops structure," Tinnes wrote. "Instead the kernel relies on correct initialisation of those proto_ops structures with stubs (such as sock_no_sendpage) instead of Null pointers."

Tinnes said that, as the vulnerability leads to the kernel executing code at Null, it is "as trivial as it can get to exploit".

"An attacker can just put code in the first page that will get executed with kernel privileges," Tinnes wrote.

In an advisory published on Neohapsis on Thursday, Ormandy wrote that an attacker could exploit the vulnerability by creating a mapping at address zero containing code to be executed with privileges of the kernel, thus triggering a vulnerable operation.

The Red Hat team issued an official mitigation recommendation on Friday, in which they called for the affected protocols to be blacklisted in order to stop Tinnes and Ormandy's publicly circulated exploit from working properly on Red Hat Enterprise Linux.

Editorial standards