Zero-Day Flaw Puts Millions of Linux Machines, Android Devices at Risk
Jan 21, 2016 5:00 AM PT
Tens of millions of Linux PCs and servers, as well as 66 percent of all Android mobile devices, are vulnerable to a zero-day flaw that could allow users with lower-level privileges to gain root access, according to Perception Point, which announced its discovery last week.
The local privilege escalation vulnerability, which affects Linux Kernel v3.8 and higher, has existed since 2012, the firm said.
However, SMEP (Supervisor Mode Execution Protection) and SMAP (Supervisor Mode Access Protection) will make it difficult to exploit Linux boxes, and Android devices are protected by SELinux, Perception Point noted.
SMEP and SMAP are native to Intel architecture CPUs deployed in desktops and servers to limit access to kernel resources from user space, remarked Bill Weinberg, principal analyst at Linux Pundit. ARM CPUs, used in mobile devices, offer their own architectural features -- such as Security Extension and Data Abort Exceptions -- for that purpose.
SELinux and versions of Android built with SELinux -- as in Samsung Knox, for example -- "would also mitigate the exploit by diluting the privileges that accompany root account access," Weinberg told LinuxInsider.
The vulnerability discovered by Perception Point is listed as "CVE-2016-0728."
Exploiting it would let a user with legitimate or lower privileges gain root access and compromise a server or PC; however, the attacker would need to gain local access to the server first.
The vulnerability exists in the keyring facility built into the Linux kernel.
Keyrings contain a list of other keys. They can be modified using various system calls, and they should not be given a payload when created.
Exploiting the vulnerability could cause the kernel to reference deallocated or reallocated memory, but implementation of SMEP and SMAP "would limit the scope of exploitation from vulnerabilities like CVE-2016-0728 by preventing illicit attempted access and/or execution of memory locations in or near the freed key structures that are targeted," Weinberg pointed out.
"With these measures in place, a user-space program would only be able to corrupt the contents of the original key granted to it," he explained.
Who's at Risk
Red Hat Enterprise Linux 5 and 6 are not vulnerable to the flaw, but Red Hat Enterprise Linux 7 is at risk, according to the company. The flaw in RHEL 7 will be addressed in a future update.
Meanwhile, Red Hat has come up with a patch that works with Fedora 22 and RHEL 7.
A number of other Linux distros that are not vulnerable are listed here.
"This is a local privilege escalation vulnerability, which tells us you probably need normal user-level access to a system before you could even think about using it," observed Adrian Sanabria, an analyst at 451 Research.
"That alone means there's no need for Shellshock- or Heartbleed-level urgency here," he told LinuxInsider.
It appears there is no imminent threat, as Perception Point was "just pointing out what percentage of systems is potentially affected," Sanabria said. "I wouldn't be surprised if the vast majority gets patched without incident."
However, writing off the threat might not be a good idea.
"Just because no one's seen an exploit doesn't mean they don't exist in the wild," Weinberg cautioned. "Successful black hats are stealthy ones."
On the other hand, "I hesitate to panic over each and every zero-day that surfaces, even for kernel code," he added.
Although the vulnerability isn't much of an issue for the majority of environments, "for multiuser Linux systems where all users aren't trusted insiders ... it's a pretty big issue," Sanabria acknowledged. However, "there aren't a ton of nonvirtualized or segmented multiuser Linux systems out there anymore."
An attack exploiting this vulnerability would be "very noisy, and should be easy to detect and prevent with host-based intrusion software," he noted.
That said, users should patch their systems as soon as a patch becomes available.