Israeli security firm Perception Point disclosed a Linux and Android security vulnerability. The company described it as a zero--day "local privilege escalation vulnerability in the Linux kernel." Which, it was, but that's not the full story.
What Perception Point didn't say was that after finding the hole, their discovery, CVE-2016-0728, had been sent up stream to be fixed by the Linux kernel developers. The only reason this was a "zero-day" was because Perception Point itself released an exploit once the patch was already well on its way.
Previously: New zero-day flaw hits millions of Linux servers, also affects most Android devices
Why would they do that? One ticked-off Linux security developer said, "it's all about selling their companies nobody has ever heard of for as much as possible. This way they get headlines and we get security headaches."
This, according to another programmer working on mediating the problem, is far from unique. "Security companies are always making a big deal of little problems for their own benefit."
In this case, this security hole could exploit Linux's keyrings facility. Keyrings are used to cache security data, authentication keys, and encryption keys. The breach attacks this functionality by duplicating a keyring object name from userspace. By itself, that's not too bad.
The trouble comes when the field used to store the object name's reference count overflows. There are no checks to keep this integer value from wrapping around to zero. Once that's done, an attacker can overwrite its memory and you're on your way to a privilege escalation exploit. In short, yes an ordinary user can gain superuser privileges.
That's bad, but it's not half as bad as it sounds. First, you need a user account to even start. At a minimum, an attacker would need to have a login and shell account on the target system. Joe Hacker simply trying to break into your system from outside can't do it.
In addition, for once this problem doesn't impact older systems. Only Linux distributions using the Linux kernel 3.10 or higher can be attacked. Linux 3.10 was released on August 2013.
Specifically the following distributions are theoretically vulnerable:
- CentOS Linux 7
- Debian Linux stable 8.x (jessie)
- Debian Linux testing 9.x (stretch)
- Fedora 21 and newer
- Scientific Linux 7
- openSUSE Linux LEAP 42.x and version 13.x
- Oracle Linux 7
- Red Hat Enterprise Linux (RHEL) 7
- SUSE Linux Enterprise Desktop 12
- SUSE Linux Enterprise Server (SLES) 12
- Ubuntu Linux 14.04 LTS (Trusty Tahr)
- Ubuntu Linux 15.04 (Vivid Vervet)
- Ubuntu Linux 15.10 (Wily Werewolf)
Even on these systems, the published exploit doesn't work. I've tried it myself on a Fedora 23 system with 8GBs of RAM. It eventually locked up the PC when it ran out of free memory. Others report finding this attack failed because of memory exhaustion.
While this could be used to attack Android devices running Android 4.4 or newer, it's a meaningless attack. First you'd need to have the device in hand. Next, you'd need more memory than I've ever seen on an Android gadget. Last but far from least, since even Perception Point admits that, "the full exploit takes about 30 minutes to run on Intel Core i7-5500 CPU." It would take over a day to run on an Android device. In short, there's a lot easier ways to root an Android smartphone or tablet.
In addition, many, if not most, Linux kernels have Supervisor Mode Execution Protection (SMEP) and/or Supervisor mode access prevention (SMAP) enabled. While both SMEP and SMAP security measures can be overcome, they add another layer of complexity to successfully exploiting the hole.
Still, the problem does need fixing. The patch is already available as source code. Most Linux distributions have already made the patch available. The one exception is Red Hat. As of January 20, Red Hat has not issued a patch. It is expected to be out momentarily.
One fix which will not work is to use the command:
# echo 1 > /proc/sys/kernel/keys/maxkeys
This only applies to user created keys, not root-created keys. Thus, this is not a real work around.
Instead, depending on your distribution, you should run the following commands from the shell:
$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
$ sudo reboot
Fedora/CentOS/RHEL (When released)
$ sudo yum update $ reboot
openSUSE or SLES
as the root user:
# zypper patch # reboot
While you should do this as soon as possible, don't sweat it too much. This is one exploit where there's been much ado about almost nothing.