Video: The 2013 flaw that's still used to turn Linux servers into coin miners today.
Multiple Linux distributions are affected by a quirk in a Linux compiling tool for building Windows apps -- mingw-w64 or Minimalist GNU for Windows for 64-bit PCs -- that fails to implement a Windows exploit-mitigation feature known as address space layout randomization (ASLR).
Carnegie Mellon University's computer emergency response team (CERT/CC) has issued a warning that "mingw-w64 produces executable Windows files without a relocations table by default, which breaks compatibility with ASLR".
ASLR is a widely implemented technique for obstructing exploits that rely on predicting memory addresses by randomizing the address space. It's used by Windows as well as Linux distributions that rely on the Linux kernel, where it was first implemented in 2002.
The problem, as CERT/CC's Will Dormann explains, is that for the past five years developers have been using mingw-w64 to generate Windows executables that should be ASLR compatible, but in fact aren't, because they're missing an essential address 'relocations table'.
"Vulnerabilities in such executables are more easily exploitable as a result," he notes.
"For ASLR to function, Windows executables must contain a relocations table. Despite containing the 'Dynamic base' PE header, which indicates ASLR compatibility, Windows executables produced by mingw-w64 have the relocations table stripped from them by default. This means that executables produced by mingw-w64 are vulnerable to return-oriented programming (ROP) attacks."
ROP or return-oriented programming attacks have historically been a popular method for exploiting software vulnerabilities and giving attackers a way to control a computer even if it's protected.
Troublingly, CERT/CC doesn't know of a practical way to fix the missing relocations table bug, tagged as CVE-2018-5392.
However, it has suggested a workaround whereby mingw-w64 can be "coerced" into outputting executables with the relocations table intact. The advisory explains how to implement the workaround.
According to CERT/CC, the bug affects Ubuntu, Debian, Red Hat, SUSE Linux, Arch Linux, CentOS, and more. However, none of the vendors has released a statement about the bug or its fix. The vendors were notified in late July.
Previous and related coverage
OS and hypervisor makers patch flaw that attackers could use to crash systems or read data from memory.
Microsoft preps new Windows 10 security features to ensure system integrity during start-up and after it's running
Some devices are reportedly freezing after the new Windows 10 April 2018 Update.
Linux server administrators will want to patch their systems as soon as possible.
Open source vulnerabilities will often get disclosed earlier than those in managed software, but it's up to IT to apply the patches.