Welcome to WebmasterWorld Guest from 35.153.135.60

Forum Moderators: bakedjake

Message Too Old, No Replies

Zero Day Vulnerability Discovered In Linux Kernel

     
9:20 am on Jan 20, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:26182
votes: 968


It seems this is a proof of concept discovery, but it's good to see a fix coming so swiftly. It's interesting that Android may be vulnerable for considerably longer as the relatively slow update path is a weak spot.
For almost three years, millions of servers and smaller devices running Linux have been vulnerable to attacks that allow an unprivileged app or user to gain nearly unfettered root access. Major Linux distributors are expected to fix the privilege escalation bug this week, but the difficulty of releasing updates for Android handsets and embedded devices means many people may remain susceptible for months or years Zero Day Vulnerability Discovered In Linux Kernel [arstechnica.com]
10:22 am on Jan 20, 2016 (gmt 0)

New User

joined:Jan 7, 2016
posts:10
votes: 1


This doesn't look good for android users we will see a lot of leaked photos
11:45 pm on Jan 20, 2016 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 9, 2004
posts:137
votes: 13


It's important to actually read these kernel alerts. So, old androids are in zero danger from this, because this comes with kernel 3.8 or later only. They are in danger from every other known exploit for unpatched androids, but given the dispersion of android systems, and the consistent failure by phone vendors to apply timely updates to their android releases, it's best to just think of all non google sourced android systems as essentially vulnerable. And not just old, I have an android 4.4.2, recently updated, which runs linux 3.4, ie, zero risk from this exploit.

The vulnerability is notable because it's exploitable in a wide array of settings. On servers, people with local access can exploit it to achieve complete root access. On smartphones running Android versions KitKat and later, it can allow a malicious app to break out of the normal security sandbox to gain control of underlying OS functions.


[arstechnica.com...]

I'm not convinced this explanation is technically right because they tend to be extremely sloppy in their reporting. I read the actual report:

[perception-point.io...]

but I'm not up on the specifics enough to know if this is truly a local only exploit, which almost ALL are, by the way, and thus of almost no risk to web servers etc, or if it can be exploited via ssh or ssl or apache etc.

However, if it's only local access, which means, you're sitting at the machine typing into its terminal/console, then the risk to servers is close to zero, and, again, the server would have to be running that kernel, which most servers probably aren't doing, since they are long term frozen pool releases. Depends. I've always laughed at local only exploits because the entire notion is so absurd, as I like to note, if someone is sitting directly in front of your system with access to the hardware, you have much bigger security issues than a tiny weakness in the kernel, since they already have your machine, lol.

Same for android risk, google expressed very little concern about the issue, saying it doesn't apply to most android releases.

Of course, android is already long since established as the windows of mobile phone security, so it's not like patching this in your android would suddenly make android secure.
4:45 pm on Jan 21, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 5, 2002
posts: 1864
votes: 5


Thanks lizardx.
11:27 pm on Feb 17, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 5, 2002
posts: 1864
votes: 5


Is 4.3.3 vulnerable to this? I'm having trouble figuring out exactly when this was fixed.
9:42 pm on Mar 9, 2016 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 9, 2004
posts:137
votes: 13


"The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands. "
[cve.mitre.org...]

so the answer is yes, from 3.8 to 4.4.0, unless the kernel/distro/android maintainer backported the patches to fix it, or if greg kh long term release branches had those backported AND the distro/android distributor updated their kernels, which is impossible to answer. Just adding this for historical purposes.