Serious bug in Linux kernel allows for privilege escalation

The security team at Perception Point has uncovered a serious bug in the Linux kernel that could allow a regular user to get elevated permissions on an affected system. The vulnerability affects the Linux kernel versions 3.8 and higher.

The bug lies in the code that implements Linux's keyrings facility, which is "primarily a way for drivers to retain or cache security data, authentication keys, encryption keys, and other data." To exploit the bug, an attacker has to make 232 requests to the keyring service, until an internal 32-bit counter rolls back to zero. After that, the attacker can trigger a use-after-free vulnerability to run arbitrary code with elevated privileges.

Besides a substantial number of Linux systems, the security researchers also point out that an estimated 66% of Android devices are equally exploitable. However, The Register notes that Android's kernel configuration guide doesn't have keyrings enabled by default. Perception Point managed to trigger the bug in roughly 30 minutes on a Core i7-5500U CPU, but notes the exploit isn't really time-dependent—after all, the code can easily run in the background and take whatever time it needs.

According to nixCraft, Red Hat Enterprise Linux 7, CentOS 7, Debian, Ubuntu, and Suse Linux Enterprise 12 are all vulnerable. It's not all bad news, though. Supervisor Mode Execution Protection (SMEP) and Supervisor Mode Access Protection (SMAP) CPU features and SELinux should defeat this exploit.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.