Linux kernel exploit gets patched

Linux kernel exploit gets patched

Summary: A fix has been developed for a vulnerability in the Linux kernel that potentially leaves machines open to a privilege escalation exploit.

SHARE:
TOPICS: Linux, Security
28

A fix has been developed for a vulnerability in the Linux kernel that was made public at the weekend.

The software flaw potentially leaves computers vulnerable to a privilege escalation exploit, which could be used to escalate a user or piece of software's privileges on the machine.

The exploit, which affects kernel versions 3.3 through to 3.8, was mentioned in a Common Vulnerabilities and Exposures request at the weekend.

The request detailed the vulnerability: "An unprivileged user can send a netlink message resulting in an out-of-bounds access of the sock_diag_handlers array which, in turn, allows userland to take over control while in kernel mode."

The vulnerability will be fixed in the Linux 3.9 kernel.

Topics: Linux, Security

About

Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • Linux kernel exploit gets patched

    Gentleman, start your compilers.
    Loverock-Davidson
    • You're presumably talking to the distros?

      But I agree that it *was* useful to have the choice of fixing this myself last night without having to wait for a "Patch Tuesday" or something...
      Zogg
    • Why? Just allow normal updates surely?

      Hi :)
      I will be getting this in my next round of automatic updates. Not sure why Lovey wants to over-complicate it. I don't even need to point&click to get this update.
      Regards from
      Tom :)
      Tom6
      • Let's just hope then

        that you have not already been pwned through this vulnerability.

        Actionable proof-of-concept exploit code has been in the wild (known in the black-hat community) for at least 7 months.
        honeymonster
    • ummm

      gentlemen...be careful with BSOD
      mslinux
  • Linux kernel exploit gets patched

    Outstanding, a quick fix for a bug.
    daikon
    • No so fast!

      All Distros on kernel 3.3 and later are vulnerable and have been for a year!

      What worse (much worse) is that *it has been exploited* and vulnerability information has been in the wild for at least half a year:

      Two of the files in the tarball have timestamps of 2012-07-14. Of
      course, this is no proof, but it does appear that the bug was privately
      known since about July 2012. The README says:

      "A trimmed down version of an old exploit for the recently published
      `sock_diag_handlers[]' vulnerability :("

      (http://thread.gmane.org/gmane.comp.security.oss.general/9500)

      Go ahead an laud your swiss cheese OS. At the same time kernel.org, linuxfoundation.org and multiple other sites are routinely hacked by script kiddies using readily available vulnerabilities.
      honeymonster
      • Sometimes a bug in one does nothing in another

        CVE-2013-1763 kernel: sock_diag: out-of-bounds access to sock_diag_handlers

        This issue did not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.
        daikon
        • CVE-2013-1763 affected all distros on kernel 3.3 and later

          RHEL 5 and 6 (and probaly Enterprise MRG 2?) use outdated kernels (up to 2.6) which are not vulnerable to *this* vulnerability, but which may then be vulnerable to a host of other vulns which were fixed in later kernels but not backported by RH.
          honeymonster
          • I'd give red hat a go if I were you...

            Their security is world class and your information is clearly misinformed. Or not from first hand accounts.


            I receive not only the updates and patches from them, but tailored emails to alert me to the patches, as well as what they are patching and why tailored to the packages on my systems. I'm also kept up to date regarding the online status of my machines.

            The reason they run in the stable branch of Linux is exactly this; Debian are also still on 2.x kernels. "Outdated kernels" shows your misunderstanding. Linux runs in testing and stable. Most distros come from testing branch.

            Remember there is no Linux. There is GNU/Linux; the Linux kernel with the GNU userland. You can build it up how you like; there is no current, because there is no Linux OS. Some distros don't even use the Linux kernel, though these are still in testing.

            It is also worth noting that there is no evidence of a breach. Indeed user level access is required to exploit it. (It allows a user to obtain administrator privileges if executed successfully) so it's a priority to admins, but it's hardly a java fiasco.

            Home users need not worry so long as they're existing security remains intact, remember it would seem to have been patched prior to exploit at this stage. Though of course make sure you've got your updates installing :) A risks go it's a priority, but no need to panic over. As I say, just makes sure you're up to date.
            MarknWill
          • redhat and others

            >>" host of other vulns which were fixed in later kernels but not backported by RH."
            So what are those?
            To my best knowledge, any vulnerability is checked against different versions. A vendor checks the versions it currently supports. If they are found vulnerable a patch is applied and kernel is updated.

            BTW, for every Linux vulnerability a hacker has this pain in the a$$ to verify if he can do it to the particular system out of all those gazillion versions and distros. How would that be for MS Windows?
            eulampius
      • Suggest a secure system

        Nothing is better is it?
        Altotus
        • Depends on price tag

          z/OS with RACF is a better but costs a bomb

          My runtime of choice has always been AIX followed by RHEL but thats just my preference
          the.nameless.drifter
          • Opinion

            Right' it's nothng but your opinion. ALL posts here are opinions! Seldom if ever is there a citation or any kind of backup to any of the comments.
            twaynes
      • Call Oracle for help!

        Please ask Oracle for assistance in bugs for more that one year old. Remember Java? They just need a little incentive from the US government!
        lorenzosjb
    • an exploit that takes a year to fix

      and you call it a quick fix for a bug?

      Do you call a train crash "a fender bender?"
      I Am Galactus
      • In all fairness

        The bug was *introduced* with kernel 3.3 a year ago, but it was not *known* to the kernel developers until recently. If you don't know that there is a problem, you cannot fix it.

        Whether their Q&A procedures are adequate is another discussion. The Linux kernel alone still experiences many more vulnerabilities then the entire Windows OS alone.

        The vulnerability have been known to attackers since july 2012, and can have been used to compromise systems. The vulnerability allows an attacker to execute arbitrary code in *kernel* space. When that happens, it is game over. The vulnerability could only be exploited from a local user. But a local user is only a Firefox, Opera or Java bug away.
        honeymonster
        • Links?

          "The vulnerability have been known to attackers since july 2012, and can have been used to compromise systems."
          Any links to support this statement? Or it was only known to you. Then, to me it was known since 1991 :)
          As far as your "Firefox, Opera or Java", no it's not remote exec code, you gotta find a corresponding vuln. in the mentioned browsers first.
          eulampius
          • Links

            http://thread.gmane.org/gmane.comp.security.oss.general/9500

            quote:

            Two of the files in the tarball have timestamps of 2012-07-14. Of
            course, this is no proof, but it does appear that the bug was privately
            known since about July 2012. The README says:

            "A trimmed down version of an old exploit for the recently published
            `sock_diag_handlers[]' vulnerability :("

            unquote

            This is a discussion on the changeset which fixed the bug.

            As for exploitability, consider how Linux is mostly used for servers, as servers Linux is most often used for some kind of PHP or RoR application which are notorious for bugs. Just a single bug in an application allows the attacker to run code at the server, and there are myriads to choose from.

            Running at the server this vulnerability is *total pwnage*. Run apparmor, SELinux or whatever, when the bad guys are in kernel mode it is game over.
            honeymonster
          • Good point

            I wonder who Flagged your comment.
            AppArmor will be useless against kernel exploits, when both have similar privilege.
            Martmarty