Zero-Day Linux Kernel Vulnerability

Dikutip dari,,  dan

Zero-Day Linux Kernel Vulnerability Gives Attacker Root Access, Patch Incoming

By Silviu Stahie | Jan 19, 2016 14:56 GMT  ·

Every OS with Linux kernel 3.8 or above is affected. A new zero-day Linux kernel vulnerability has been identified (CVE-2016-0728) by a group named Perception Point, and a patch should already be in preparation for Linux distributions.

Linux kernel vulnerabilities are not all that uncommon, and they are found and patched all the time. This is why the Linux-based operating systems are usually more secure than proprietary ones. Everything gets fixed as soon as it’s found, and not a minute later. On the other hand, zero-day vulnerabilities are not all that frequent, especially for the Linux kernel.

One of the things that Linus Torvalds has always insisted on is that security is not all that important for the Linux kernel, mostly because of its size. The fact that a zero-day kernel vulnerability has been found only means that there are probably others that have yet to be discovered.

In fact, the one from today, CVE-2016-0728, has been around since 2012, which only goes to show that Linus is probably right. “The people who care most about this stuff are completely crazy. They are very black and white. Security in itself is useless. The upside is always somewhere else. The security is never the thing that you really care about,” Linus explained in an older interview.

Linux kernel 3.8 and higher are affected

The Perception Point Research team found the problem and reported it back to the Kernel security team, who are already working on a patch. The problem affects any operating system with Linux kernel newer than 3.8, so there are probably tens of millions of PCs exposed. The cherry on top is that about 66% of Android devices are also exposed.

CVE-2016-0728 is described as a local privilege escalation vulnerability, which means that, if the exploit is successful, the attacker can get root access to the OS. This is bad. The good news is that it looks like Perception Point Research is the first one that identified the issue, so it hasn’t been exploited until now.

Linux operating systems will soon get patched, but they have the same problem as all the other systems that are too popular for their own good. There’ll always be some that won’t get patched, and we all know that developers work forever on Android patches.

You can find more details about this new vulnerability on Perception Point Research website, and you can expect to see a patch for your distro really soon.



Zero-Day Flaw Puts Millions of Linux Machines, Android Devices at Risk

By Richard Adhikari  | Jan 21, 2016 5:00 AM PT

Tens of millions of Linux PCs and servers, as well as 66 percent of all Android mobile devices, are vulnerable to a zero-day flaw that could allow users with lower-level privileges to gain root access, according to Perception Point, which announced its discovery last week.

The local privilege escalation vulnerability, which affects Linux Kernel v3.8 and higher, has existed since 2012, the firm said.

However, SMEP (Supervisor Mode Execution Protection) and SMAP (Supervisor Mode Access Protection) will make it difficult to exploit Linux boxes, and Android devices are protected by SELinux, Perception Point noted.

SMEP and SMAP are native to Intel architecture CPUs deployed in desktops and servers to limit access to kernel resources from user space, remarked Bill Weinberg, principal analyst at Linux Pundit. ARM CPUs, used in mobile devices, offer their own architectural features — such as Security Extension and Data Abort Exceptions — for that purpose.

SELinux and versions of Android built with SELinux — as in Samsung Knox, for example — “would also mitigate the exploit by diluting the privileges that accompany root account access,” Weinberg told LinuxInsider.

Possible Exploits

The vulnerability discovered by Perception Point is listed as “CVE-2016-0728.”

Exploiting it would let a user with legitimate or lower privileges gain root access and compromise a server or PC; however, the attacker would need to gain local access to the server first.

The vulnerability exists in the keyring facility built into the Linux kernel.

Keyrings contain a list of other keys. They can be modified using various system calls, and they should not be given a payload when created.

Exploiting the vulnerability could cause the kernel to reference deallocated or reallocated memory, but implementation of SMEP and SMAP “would limit the scope of exploitation from vulnerabilities like CVE-2016-0728 by preventing illicit attempted access and/or execution of memory locations in or near the freed key structures that are targeted,” Weinberg pointed out.

“With these measures in place, a user-space program would only be able to corrupt the contents of the original key granted to it,” he explained.

Who’s at Risk

Red Hat Enterprise Linux 5 and 6 are not vulnerable to the flaw, but Red Hat Enterprise Linux 7 is at risk, according to the company. The flaw in RHEL 7 will be addressed in a future update.

Meanwhile, Red Hat has come up with a patch that works with Fedora 22 and RHEL 7.

A number of other Linux distros that are not vulnerable are listed here.

“This is a local privilege escalation vulnerability, which tells us you probably need normal user-level access to a system before you could even think about using it,” observed Adrian Sanabria, an analyst at 451 Research.

“That alone means there’s no need for Shellshock- or Heartbleed-level urgency here,” he told LinuxInsider.

It appears there is no imminent threat, as Perception Point was “just pointing out what percentage of systems is potentially affected,” Sanabria said. “I wouldn’t be surprised if the vast majority gets patched without incident.”

However, writing off the threat might not be a good idea.

“Just because no one’s seen an exploit doesn’t mean they don’t exist in the wild,” Weinberg cautioned. “Successful black hats are stealthy ones.”

On the other hand, “I hesitate to panic over each and every zero-day that surfaces, even for kernel code,” he added.

Although the vulnerability isn’t much of an issue for the majority of environments, “for multiuser Linux systems where all users aren’t trusted insiders … it’s a pretty big issue,” Sanabria acknowledged. However, “there aren’t a ton of nonvirtualized or segmented multiuser Linux systems out there anymore.”

An attack exploiting this vulnerability would be “very noisy, and should be easy to detect and prevent with host-based intrusion software,” he noted.

That said, users should patch their systems as soon as a patch becomes available.



Ghost in the Machine: Linux Zero-Day Vulnerability Opens Door for Attack


On Tuesday, Jan. 27, a zero-day vulnerability (CVE-2015-0235) was disclosed in the Linux operating system that allows malicious code to be executed on servers that use the GNU C Library (glibc) functionality. Linux programs that contain glibc are also affected. The specific call, gethostbyname(), can be triggered by any type of Domain Name System (DNS) resolution within the code, although the primary effect is on systems that accept host names from clients and attempt to resolve them through DNS. In reference to the GetHOST functionality, the vulnerability has been nicknamed “Ghost.”

Technical Description

According to Red Hat Bugzilla, a heap-based buffer overflow was found in glibc’s __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call to either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.

There are at least three use cases. “Modern” applications likely use getaddrinfo() instead of gethostbyname(). Slightly less modern applications usually call inet_aton() first and only call gethostbyname() after inet_aton() fails. Both of these types of applications are more likely to be safe. The ones most likely to be vulnerable are older applications that use gethostbyname() and are used “itinerantly” or applications that are maintained “not much at all.”

Affected Servers and Products

Affected versions include glibc-2.2, released on Nov. 10, 2000. Although a patch for this zero-day vulnerability was already issued on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18), many systems in operation remain unpatched because it was not recognized as a security threat at the time. Newer systems likely shipped with the vulnerability fixed, but this vulnerability remains a threat to older systems and applications, especially in light of the shift from gethostbyname() to getaddrinfo() in applications.

The glibc libraries are used by a wide range of services, and the pervasiveness of the glibc library is reminiscent of the Shellshock zero-day vulnerability. Ghost is further complicated by the nature of the affected services. Any protocol that allows or requires the client to specify a host to the server to be resolved via DNS is at risk. This includes both the obvious Simple Mail Transfer Protocol HELO/EHLO commands and more subtle protocols where a server will accept a host name from a client to resolve later or pass it on to other servers that would eventually attempt to resolve them via DNS.

The nature of glibc and its use means that applying such a patch requires a reboot of the entire affected server, which can hinder many organizations from applying necessary patches due to the disruptive nature of the fix. However, it is more desirable to reboot a server than to have the network compromised by a malicious actor.

Zero-Day Vulnerability Exploitation

The vulnerability can be exploited both locally and remotely by all the gethostname*() functions, but this is difficult due to several factors. Only 4 to 8 bytes can be overwritten, and the values written are limited to ASCII periods, digits and the terminating NULL character.

In one attack vector, a buffer overflow can be triggered by using a host name argument that appears valid to glibc yet is just off enough to trigger the overflow. This attack could ultimately let the attacker gain complete control over the compromised system by supplying the exploited server with malicious code to execute. All of this can happen without the attacker having any prior knowledge of system credentials, although each case presents its own challenges for exploitation.

Qualys, which discovered the bug, developed a proof-of-concept exploit that was able to bypass all existing protections. Although the Qualys bypass addressed a handful of specific and common applications, it appears at this point that exploitation attempts must be tightly tailored to the memory layout of the application under attack.

Recommendations for Clients

Although there may be operational impact, it is important to apply vendor patches. Administrators should be prepared for the inevitable reboots required on servers. Many vendors, such as Red Hat, Debian, Ubuntu and Novell, have released patches that include the original fix from 2013. In addition, clients are encouraged to:

  • Leverage an endpoint solution to automatically deploy the patch to remediate noncompliant systems.
  • Maintain a current and accurate asset inventory and enforce continuous security configuration compliance through real-time monitoring and reporting of all endpoints. A noncompliant endpoint is automatically quarantined to safeguard against further vulnerabilities until remediation is complete.
  • Create and practice a broad incident response plan. All activities related to vulnerability disclosures and active attacks must be guided by processes involving all levels of your organization and guided by clear procedures for a variety of situations. Test the procedures often to make sure you are not working out the kinks when an actual emergency arises.
  • Implement mitigating controls. Firewalls, intrusion prevention systems and endpoint protection all can help protect against new threats during the period between the vulnerability disclosure and when you’re able to apply vendor patches.



Zero-day vulnerability lets Linux applications gain root access

By  | Jan 19, 2016

Zero-day vulnerability affects Linux and Android

Security is a never-ending battle for any operating system, including Linux. A new report notes that Android and Linux are both vulnerable to a zero-day exploit that allows applications to escalate privileges to gain root access.

Mario Korolov reports for CSO:

A new zero-day vulnerability has been discovered that allows Android or Linux applications to escalate privileges and gain root access, according to a report released this morning by Perception Point.

Any machine with Linux Kernel 3.8 or higher is vulnerable, he said, including tens of millions of Linux PCs and servers, both 32-bit and 64-bit.

Although Linux lags in popularity on the desktop, the operating system dominates the Internet, mobile, embedded systems and the Internet of Things, and powers nearly all of the world’s supercomputers.

Using this vulnerability, attackers are able to delete files, view private information, and install unwanted programs. According to Pats, this vulnerability has existed in the Linux kernel since 2012.

Pats said that the Linux team has been notified, and patches should be available and pushed out soon to devices with automatic updates. Perception Point has also created proof of concept code that exploits this vulnerability to gain root access.

More at CSO

You can get much more detail from the Perception Point report:

The Perception Point Research team has identified a 0-day local privilege escalation vulnerability in the Linux kernel. While the vulnerability has existed since 2012, our team discovered the vulnerability only recently, disclosed the details to the Kernel security team, and later developed a proof-of-concept exploit.

As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets). While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible.

In this write-up, we’ll discuss the technical details of the vulnerability as well as the techniques used to achieve kernel code execution using the vulnerability. Ultimately, the PoC provided successfully escalates privileges from a local user to root.

CVE-2016-0728 is caused by a reference leak in the keyrings facility. Before we dive into the details, let’s cover some background required to understand the bug.

Quoting directly from its manpage, the keyrings facility is primarily a way for drivers to retain or cache security data, authentication keys, encryption keys and other data in the kernel. System call interfaces – keyctl syscall (there are two other syscalls that are used for handling keys: add_key and request_key. keyctl, however, is definitely the most important one for this write-up.) are provided so that userspace programs can manage those objects and use the facility for their own purposes.

Why Linux gamers should hold off on preordering the Oculus Rift

Linux gamers shouldn’t get too excited about the Oculus Rift, according to PCWorld. Linux support might happen, but won’t be available when the Oculus Rift first becomes available. So you might want to hold off on those preorders until there’s an official announcement that Linux will be supported.

Chris Hoffman reports for PCWorld:

News of Oculus Rift preorders is bittersweet at best for Linux users. The first consumer version of the Rift will be Windows-only, with Linux support a vague promise for the future. But it wasn’t always this way.

In the beginning, Linux support was something Oculus was actively developing. The original Oculus SDK released in mid-2013 (Version 0.2.3) added support for Linux. Red Hat’s Richard Jones blogged about his experience with it in August of that year: “Surprisingly, using Linux is not a problem at all,” he wrote, finding it offered a basically plug-and-play experience on Linux. “How the world has moved on,” he wrote.

Then Oculus changed its mind. In a May 2015 blog post titled “Powering the Rift,” Oculus came right out and said it was prioritizing Windows support over all else. “Our development for OS X and Linux has been paused in order to focus on delivering a high-quality consumer-level VR experience at launch across hardware, software, and content on Windows.”

Oculus didn’t cancel Linux support altogether, but it made no firm promises. “We want to get back to development for OS X and Linux,” the blog post said, “but we don’t have a timeline.” In December 2015, Oculus CEO Palmer Luckey reiterated Linux support, but with no more certainty than “Linux support is on the roadmap post-launch.”

More at PCWorld

LinuxInsider reviews Deepin 15 (Depth OS)

The distribution once known as Deepin is undergoing something of a name change, according to a review of the latest version by LinuxInsider. Depth OS is apparently the new name. LinuxInsider examined the naming issue in a full review of Depth OS (Deepin 15).

Jack M. Germain reports for LinuxInsider:

The latest release of the Linux distro now called “Depth OS” deserves serious consideration. It is fast, reliable and innovative, with an impressive homegrown desktop design dubbed “Deepin Desktop Environment,” or DDE.

Depth OS has a bit of an identity problem. It’s not well known outside Asia and Europe, but that’s not the major cause of confusion.

The problem is that the open source community that developed the distro seems to have a difficult time deciding what to call it. It has had several names, including “Hiweed GNU/Linux,” “Linux Deepin,” “Deepin” and now “Depth OS.”

It seems that many of the community support staff never got the memo. Most of the website and the OS itself still are labeled as “Deepin.” When the community released the latest version last month, it was called “Deepin version 15.” As of this writing, it still was. A half-hearted name-change process is ongoing.

More at LinuxInsider

Did you miss a roundup? Check the Eye On Open home page to get caught up with the latest news about open source and Linux.



Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:


You are commenting using your account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

%d blogger menyukai ini: