Highly exploitable Linux kernel bug found, patched

Highly exploitable Linux kernel bug found, patched

Summary: The vulnerability, a patch for which has already been made available, affects most versions of the Linux kernel since 2001

TOPICS: Security

A hole has been found in Linux kernel versions stretching back eight years that is 'as trivial as it can get to exploit', according to the Google employees who discovered it.

Julien Tinnes and Tavis Ormandy, the security researchers who discovered the vulnerability, have already issued a patch for the flaw. According to a blog post written by Tinnes on Thursday, the hole "affects all 2.4 and 2.6 kernels since 2001 on all architectures", and is "the public vulnerability affecting the greatest number of kernel versions".

While the kernel hole allows only local privelege escalation, the vulnerability is widespread, said the researchers.

"The issue lies in how Linux deals with unavailable operations for some protocols. sock_sendpage and others don't check for Null pointers before dereferencing operations in the ops structure," Tinnes wrote. "Instead the kernel relies on correct initialisation of those proto_ops structures with stubs (such as sock_no_sendpage) instead of Null pointers."

Tinnes said that, as the vulnerability leads to the kernel executing code at Null, it is "as trivial as it can get to exploit".

"An attacker can just put code in the first page that will get executed with kernel privileges," Tinnes wrote.

Read this

Top 10 pratfalls for novice Linux admins

As a new Linux admin, it's easy to trip up over commonly made mistakes, says Jack Wallen...

Read more

In an advisory published on Neohapsis on Thursday, Ormandy wrote that an attacker could exploit the vulnerability by creating a mapping at address zero containing code to be executed with privileges of the kernel, thus triggering a vulnerable operation.

The Red Hat team issued an official mitigation recommendation on Friday, in which they called for the affected protocols to be blacklisted in order to stop Tinnes and Ormandy's publicly circulated exploit from working properly on Red Hat Enterprise Linux.

Topic: Security

David Meyer

About David Meyer

David Meyer is a freelance technology journalist. He fell into journalism when he realised his musical career wouldn't pay the bills. David's main focus is on communications, as well as internet technologies, regulation and mobile devices.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to start the discussion