Jann Horn, the Google Project Zero researcher who discovered the Meltdown and Spectre CPU flaws, has a few words for maintainers of Ubuntu and Debian: raise your game on merging kernel security fixes, you're leaving users exposed for weeks.
Horn earlier this week released an "ugly exploit" for Ubuntu 18.04, which "takes about an hour to run before popping a root shell".
The kernel bug is a cache invalidation flaw in Linux memory management that has been tagged as CVE-2018-17182, reported to Linux kernel maintainers on September 12.
Linux founder Linus Torvalds fixed it in his upstream kernel tree two weeks ago, an impressively fast single day after Horn reported the issue. And within days it was also fixed in the upstream stable kernel releases 4.18.9, 4.14.71, 4.9.128, and 4.4.157. There's also a fix in release 3.16.58.
SEE: How to find files in Linux with grep: 10 examples (free PDF)
But Horn points out that some Linux distributions are leaving users exposed to potential attacks by not reacting fast enough to frequently updated upstream stable kernel releases.
As soon as the patch is adopted in the upstream kernel, the patch is made public, and at this point an attacker could use it to develop an exploit, Horn explains.
However, end users of Linux distributions aren't protected until each distribution merges the changes from upstream stable kernels, and then users install that updated release.
Between those two points, the issue also gets exposure on public mailing lists, giving both Linux distributions and would-be attackers a chance to take action.
"The security issue was announced on the oss-security mailing list on 2018-09-18, with a CVE allocation on 2018-09-19, making the need to ship new distribution kernels to users clearer," Horn wrote in a Project Zero post published Wednesday.
But as he noted, as of Wednesday, Debian stable and Ubuntu releases 16.04 and 18.04 had not fixed the issue, with the latest kernel update occurring around a month earlier. This means there's a gap of several weeks between the flaw being publicly disclosed and fixes reaching end users.
"Debian stable ships a kernel based on 4.9, but as of 2018-09-26, this kernel was last updated 2018-08-21. Similarly, Ubuntu 16.04 ships a kernel that was last updated 2018-08-27. Android only ships security updates once a month," he observed.
"Therefore, when a security-critical fix is available in an upstream stable kernel, it can still take weeks before the fix is actually available to users -- especially if the security impact is not announced publicly."
SEE: 20 quick tips to make Linux networking easier (free PDF)
However, the Fedora project was a little faster, pushing a fix to users on 22 September.
Canonical, the UK company that maintains Ubuntu, has since responded to Horn's blog, and says fixes "should be released" around Monday, October 1.
This is unlikely to be the last kernel bug Project Zero researchers find, and unless Ubuntu and other Linux distributions get their act together on upstream kernel fixes, they can expect to be named and shamed again.
"The fix timeline shows that the kernel's approach to handling severe security bugs is very efficient at quickly landing fixes in the git master tree, but leaves a window of exposure between the time an upstream fix is published and the time the fix actually becomes available to users -- and this time window is sufficiently large that a kernel exploit could be written by an attacker in the meantime," wrote Horn.
Previous and related coverage
Cisco's list of products with a Linux kernel denial-of-service flaw is growing.
Ubuntu VMs can now be launched from Hyper-V Quick Create and use RDP for enhanced session mode.
Linux-savvy legal experts from the past and present weigh in on this knotty, open-source licensing matter.
Red Hat team provides mitigations, promises kernel updates.
Bowing to pressure from enterprise administrators, Microsoft has extended its Windows 10 support cycle yet again. Today's announcements effectively create a Linux-like Long Term Support version for customers that pay for Enterprise upgrades.
In a wide-ranging interview at Open Source Summit, Torvalds talked about programmers, Linux, and open-source development.
No, protesting programmers are not removing code from Linux; there are no purges of politically incorrect Linux kernel developers. And Linus Torvalds is coming back.
How to install Windows 10 in a VM on a Linux machine TechRepublic
Learn how to install Windows 10 on your Linux machine using the bundled license key on preassembled systems, and get tips on how to reduce the amount of system resources Windows uses.
Looking to resurrect or transform a laptop or desktop? There are lots of versions of Linux to choose from, all of them free (and awesome). Here's how to decide which one is right for you.