The security team at Perception Point has uncovered a serious bug in the Linux kernel that could allow a regular user to get elevated permissions on an affected system. The vulnerability affects the Linux kernel versions 3.8 and higher.
The bug lies in the code that implements Linux's keyrings facility, which is "primarily a way for drivers to retain or cache security data, authentication keys, encryption keys, and other data." To exploit the bug, an attacker has to make 232 requests to the keyring service, until an internal 32-bit counter rolls back to zero. After that, the attacker can trigger a use-after-free vulnerability to run arbitrary code with elevated privileges.
Besides a substantial number of Linux systems, the security researchers also point out that an estimated 66% of Android devices are equally exploitable. However, The Register notes that Android's kernel configuration guide doesn't have keyrings enabled by default. Perception Point managed to trigger the bug in roughly 30 minutes on a Core i7-5500U CPU, but notes the exploit isn't really time-dependent—after all, the code can easily run in the background and take whatever time it needs.
According to nixCraft, Red Hat Enterprise Linux 7, CentOS 7, Debian, Ubuntu, and Suse Linux Enterprise 12 are all vulnerable. It's not all bad news, though. Supervisor Mode Execution Protection (SMEP) and Supervisor Mode Access Protection (SMAP) CPU features and SELinux should defeat this exploit.
|Razer Kiyo and Seiren X set the stage for streaming excellence||19|
|MSI Cubi 3 Silent and Silent S can be seen but not heard||13|
|Massdrop's Vast 35" VA display lives up to its name||31|
|Spitballing the performance of Nvidia's purported GTX 1070 Ti||22|
|Friday deals: a huge monitor, racing gear, audio, and more||22|
|G.Skill 3800 MT/s SO-DIMMs put lightning in tiny bottles||9|
|Cooler Master bedazzles the MasterLiquid Lite ML120L and ML240L||4|
|Razer Electra V2 offers affordable immersion||8|
|Samsung 360 Round camera captures the world from all angles||11|