Serious bug in Linux kernel allows for privilege escalation

The security team at Perception Point has uncovered a serious bug in the Linux kernel that could allow a regular user to get elevated permissions on an affected system. The vulnerability affects the Linux kernel versions 3.8 and higher.

The bug lies in the code that implements Linux's keyrings facility, which is "primarily a way for drivers to retain or cache security data, authentication keys, encryption keys, and other data." To exploit the bug, an attacker has to make 232 requests to the keyring service, until an internal 32-bit counter rolls back to zero. After that, the attacker can trigger a use-after-free vulnerability to run arbitrary code with elevated privileges.

Besides a substantial number of Linux systems, the security researchers also point out that an estimated 66% of Android devices are equally exploitable. However, The Register notes that Android's kernel configuration guide doesn't have keyrings enabled by default. Perception Point managed to trigger the bug in roughly 30 minutes on a Core i7-5500U CPU, but notes the exploit isn't really time-dependent—after all, the code can easily run in the background and take whatever time it needs.

According to nixCraft, Red Hat Enterprise Linux 7, CentOS 7, Debian, Ubuntu, and Suse Linux Enterprise 12 are all vulnerable. It's not all bad news, though. Supervisor Mode Execution Protection (SMEP) and Supervisor Mode Access Protection (SMAP) CPU features and SELinux should defeat this exploit.

Comments closed
    • AJSB
    • 4 years ago

    AFAIK you have to have physical access to the PC to use this exploit.
    Correct me if i’m wrong.

      • chuckula
      • 4 years ago

      An attacker needs “local” access, which includes physical access but could also include getting a malicious piece of software to execute “locally” on the system even without a high level of privilege.

        • AJSB
        • 4 years ago

        Thanks for the clarification.
        Besides programs included in the distros, i only download known programs if they are not included in the repos (or if there’s a new version not yet in the repos, i.e. WINE), usually downloaded in src code and compiled by myself so, i should be safe.
        Anyway, they are working on patches for the kernels to solve issue soon.

    • khelben1979
    • 4 years ago

    All these security threats… It’s good that they bring them to light, and also good that it’s getting discussed, but for some of the posts I’ve seen so far in reply, I’m hoping that it’s humour involved for anyone which would use this as any argument for not installing linux. I’ve been running and using linux for beyond 15 years now, and none of my systems have ever been hacked, neither my e-mail account or any other software for that matter. What makes a system unsafe is how you configure it and how you use it. There’s some really bad linux distros out there which makes a terrible job including all sorts of stuff which you don’t want to have in there, at the same time you got good distros which spends 1000 of hours of working for free, trying to create the best system available for anyone. I think that many are spoiled and thinks that it’s always other people’s fault when system isn’t working correctly, instead of helping out and trying to make the system and it’s avail. applications better and more secure. With Windows, starting with Windows XP when I first were serious in using Windows, I paid a lot of money for anti-virus, anti-spyware and I even had firewall software which I configured myself + hardware firewall and I still got trojans and viruses which made the system really bad to use only after 3 years. To not sail off too hard from this article topic, I would like to add that many of the security threats are getting way too much attention, instead of focusing on what really makes a system unsafe…

      • maxxcool
      • 4 years ago

      [quote<] paid a lot of money for anti-virus, anti-spyware and I even had firewall software which I configured myself + hardware firewall and I still got trojans and viruses which made the system really bad to use only after 3 years.[/quote<] Odd. I have had none since my 1st 486dx-66. your argument is biased based on your own user experience where you clicked bad things or went to bad places or was not patched. As a guy who fixes the broken machines for a a whole small towns worth of users it is almost **always the users fault**. And when it is not, an ad-blocker would have solved it .. (yahoo home page, cnn home page, bbc home page, marketwatch homepage, ny-times homepage). As to NOT installing linux I offer one simple argument. If the user is to dumb to use windows without getting infected. How is he\she going to keep up to snuff on linux where the command line is still needed to harden devices in many cases?

    • DreadCthulhu
    • 4 years ago

    I have seen some skepticism that 66% of Android devices are susceptible to this exploit. Lollipop & Marshmallow have SELinux enable, which negates this exploit, and most older versions of Android will be running an older version of the Linux kernel, which of course doesn’t have this exploit.

    • chuckula
    • 4 years ago

    Interesting. Apparently I’m not vulnerable on my home system since I compile a custom kernel that doesn’t even enable the keyring subsystem.

    Still have to make the rounds at work though.

      • Fonbu
      • 4 years ago

      Are you Gentoo?

        • chuckula
        • 4 years ago

        Arch actually. I’ve been custom compiling kernels for a LONG time [since 2.4 was considered “new”] on non-production machines both for fun and to keep somewhat informed about what is going on in the kernel.

        Doing the configuration has gotten a lot more complicated over the years since the Linux kernel does a whole lot more than it used to back in the day.

    • ronch
    • 4 years ago

    [quote<]Supervisor Mode Execution Protection (SMEP) and Supervisor Mode Access Protection (SMAP) CPU features and SELinux should defeat this exploit.[/quote<] What about AMD CPUs?

    • oldog
    • 4 years ago

    That does it I’m uninstalling Linux and running only Win 10.

    This is the year of the Windows desktop;)!

    • Flatland_Spider
    • 4 years ago

    It should be mentioned that is a local exploit rather then remote exploit. Not great, but better.

    • willmore
    • 4 years ago

    selinux also protects against this.

      • morphine
      • 4 years ago

      Like it’s mentioned in the last sentence in the article? 🙂

        • willmore
        • 4 years ago

        Ninja edit.

    • DrCR
    • 4 years ago

    What about AppArmor?

    Just curious.

    • anotherengineer
    • 4 years ago

    Is this the same one mentioned yesterday in the forums?

    [url<]https://techreport.com/forums/viewtopic.php?f=7&t=117148[/url<]

      • Flying Fox
      • 4 years ago

      Yes

    • DrDominodog51
    • 4 years ago

    I’m 100% sure Debian 8 ships with 3.18. I’m not sure what nixCraft was talking about.

      • willmore
      • 4 years ago

      Just checked and you are correct.

      The problem in your logic is that 3.18 is *newer* than 3.8. 13>8. So, 3.18 should be an effected version.

        • DrDominodog51
        • 4 years ago

        I’m just going to give up on any interest in the tech industry now. Time to send in my resignation. Good bye everyone.

        /s Damn numbering. I should have remembered 3.8x never was made.

          • morphine
          • 4 years ago

          If it’s any consolation, I wrote the news and that one tripped me up for a few seconds, too.

            • willmore
            • 4 years ago

            I still have nightmares about install PostgreSQL back in the early 90’s. It had layers and layers of patches and they had to be installed in order and the version numbers were x.y.z.k.r.l.m.n.q.a.b…………….

            • morphine
            • 4 years ago

            Yeah, and it doesn’t help that sometimes different projects have different version number conventions. It’s enough to drive a man mad, I say.

            • willmore
            • 4 years ago

            Mad, you say?

          • AJSB
          • 4 years ago

          Nothing wrong with version numbering system in “Linux World”.
          If its 3.8, its 3.8 .
          If they said 3.80, then it would be different, zeros are important 😉

Pin It on Pinterest

Share This