Google Project Zero to Linux distros: Your sluggish kernel patching puts users at risk

Project Zero accuses Linux distributions of leaving users exposed to known kernel vulnerabilities for weeks.

Jann Horn, the Google Project Zero researcher who discovered the Meltdown and Spectre CPU flaws, has a few words for maintainers of Ubuntu and Debian: raise your game on merging kernel security fixes, you're leaving users exposed for weeks.

Horn earlier this week released an "ugly exploit" for Ubuntu 18.04, which "takes about an hour to run before popping a root shell".

The kernel bug is a cache invalidation flaw in Linux memory management that has been tagged as CVE-2018-17182, reported to Linux kernel maintainers on September 12.

Linux founder Linus Torvalds fixed it in his upstream kernel tree two weeks ago, an impressively fast single day after Horn reported the issue. And within days it was also fixed in the upstream stable kernel releases 4.18.9, 4.14.71, 4.9.128, and 4.4.157. There's also a fix in release 3.16.58.

SEE: How to find files in Linux with grep: 10 examples (free PDF)

But Horn points out that some Linux distributions are leaving users exposed to potential attacks by not reacting fast enough to frequently updated upstream stable kernel releases.

As soon as the patch is adopted in the upstream kernel, the patch is made public, and at this point an attacker could use it to develop an exploit, Horn explains.

However, end users of Linux distributions aren't protected until each distribution merges the changes from upstream stable kernels, and then users install that updated release.

Between those two points, the issue also gets exposure on public mailing lists, giving both Linux distributions and would-be attackers a chance to take action.

"The security issue was announced on the oss-security mailing list on 2018-09-18, with a CVE allocation on 2018-09-19, making the need to ship new distribution kernels to users clearer," Horn wrote in a Project Zero post published Wednesday.

But as he noted, as of Wednesday, Debian stable and Ubuntu releases 16.04 and 18.04 had not fixed the issue, with the latest kernel update occurring around a month earlier. This means there's a gap of several weeks between the flaw being publicly disclosed and fixes reaching end users.

"Debian stable ships a kernel based on 4.9, but as of 2018-09-26, this kernel was last updated 2018-08-21. Similarly, Ubuntu 16.04 ships a kernel that was last updated 2018-08-27. Android only ships security updates once a month," he observed.

"Therefore, when a security-critical fix is available in an upstream stable kernel, it can still take weeks before the fix is actually available to users -- especially if the security impact is not announced publicly."

SEE: 20 quick tips to make Linux networking easier (free PDF)

However, the Fedora project was a little faster, pushing a fix to users on 22 September.

Canonical, the UK company that maintains Ubuntu, has since responded to Horn's blog, and says fixes "should be released" around Monday, October 1.

This is unlikely to be the last kernel bug Project Zero researchers find, and unless Ubuntu and other Linux distributions get their act together on upstream kernel fixes, they can expect to be named and shamed again.

"The fix timeline shows that the kernel's approach to handling severe security bugs is very efficient at quickly landing fixes in the git master tree, but leaves a window of exposure between the time an upstream fix is published and the time the fix actually becomes available to users -- and this time window is sufficiently large that a kernel exploit could be written by an attacker in the meantime," wrote Horn.

Previous and related coverage

Cisco: Linux kernel FragmentSmack bug now affects 88 of our products

Cisco's list of products with a Linux kernel denial-of-service flaw is growing.

Linux on Windows 10: Running Ubuntu VMs just got a lot easier, says Microsoft

Ubuntu VMs can now be launched from Hyper-V Quick Create and use RDP for enhanced session mode.

What happens if you try to take your code out of Linux?

Linux-savvy legal experts from the past and present weigh in on this knotty, open-source licensing matter.

New Linux 'Mutagen Astronomy' security flaw impacts Red Hat and CentOS distros

Red Hat team provides mitigations, promises kernel updates.

Windows 10 Enterprise customers will now get Linux-like support

Bowing to pressure from enterprise administrators, Microsoft has extended its Windows 10 support cycle yet again. Today's announcements effectively create a Linux-like Long Term Support version for customers that pay for Enterprise upgrades.

Even Linus Torvalds doesn't completely understand the Linux kernel

In a wide-ranging interview at Open Source Summit, Torvalds talked about programmers, Linux, and open-source development.

Linus Torvalds and Linux Code of Conduct: 7 myths debunked

No, protesting programmers are not removing code from Linux; there are no purges of politically incorrect Linux kernel developers. And Linus Torvalds is coming back.

How to install Windows 10 in a VM on a Linux machine TechRepublic

Learn how to install Windows 10 on your Linux machine using the bundled license key on preassembled systems, and get tips on how to reduce the amount of system resources Windows uses.

How to choose a Linux distro for your old PC CNET

Looking to resurrect or transform a laptop or desktop? There are lots of versions of Linux to choose from, all of them free (and awesome). Here's how to decide which one is right for you.