5-Year-Old Critical Linux Vulnerability Patched

msm1267 quotes Kaspersky Lab's ThreatPost: A critical, local code-execution vulnerability in the Linux kernel was patched more than a week ago, continuing a run of serious security issues in the operating system, most of which have been hiding in the code for years. Details on the vulnerability were published Tuesday by researcher Philip Pettersson, who said the vulnerable code was introd in August 2011.

A patch was pushed to the mainline Linux kernel December 2, four days after it was privately disclosed. Pettersson has developed a proof-of-concept exploit specifically for Ubuntu distributions, but told Threatpost his attack could be ported to other distros with some changes. The vulnerability is a race condition that was discovered in the af_packet implementation in the Linux kernel, and Pettersson said that a local attacker could exploit the bug to gain kernel code execution from unprivileged processes. He said the bug cannot be exploited remotely.
"Basically it's a bait-and-switch," the researcher told Threatpost. "The bug allows you to trick the kernel into thinking it is working with one kind of object, while you actually switched it to another kind of object before it could react."

Re:

[godrik]

The amazing thing to me is that the linux kernel doesn't even have a testsuite like GCC or binutils (correct me if I'm wrong).

There is a test suite here [archlinux.org].

Re:

[Anonymous Coward]

If you want to go this way, maybe gentoo could be considered a test suite, surely not archlinux.

Peoples please stop praising arch for the wrong reasons.
Namely here, arch delivers binaries and this for a quite restricted set of architectures
Even with AUR, you ll get mainly peoples compiling for the same plateformes, with the same options, and mostly compiling apps not the kernel.

Obviously posting as AC, with the number of arch fanboys, this will get downvoted to hell.

Re:Not surprising

[Anonymous Coward]

In my OS class during my UG CS degree we were writing a small OS. By the time we got to threading we were bitching about how hard it was in *nix so our prof cracked the hood on the Windows threading APIs... We collectively shut the hell up when we saw how hideous and needlessly complicated it was compared to what we were working with.

It turns out that Linux has WAY less bugs than Windows or Mac despite being dreams and wishes...and this is with completely open code base. https://www.cvedetails.com/

Windows is a colostomy bag of code in comparison and it you think you've found a way to improve some part Linux you should write up and submit a patch.

Re: Not surprising

[Type44Q]

He posts a successful rebuttal to your anonymous MS-shill bullshit and that's the best that you're able to come up with?? Priceless.

Re:

[Anonymous Coward]

Not everyone who dislikes Linux' design is a MS-shill. Could also be Andrew S. Tanenbaum.

Re:

[jeremyp]

He posts a successful rebuttal to your anonymous MS-shill bullshit

The post which he allegedly rebutted doesn't say anything about Windows. So, no it was not a successful rebuttal.

Haha oh man the excuses

[ArchieBunker]

What happened to the "many eyes" argument? Oh yeah that died along with heartbleed and the old SSL codebase.

Re:

[Tablizer]

Need MORE eyes.

Good security needs both careful design and more eyes.

Re:

[sjames]

Part of the issue for this particular bug is that few really looked at it for a simple reason: You have to have CAP_RAW_PACKET in order to exploit it, and to get that you had to be root (until recently).

Re:

[ebvwfbw]

You have no idea what you're talking about. I started with it before it was even released in 1992. It's been very much tested and reviewed. That doesn't mean you catch everything. There are things that happen that you never anticipated. An error occurs. If you can exploit it, you might be able to do something unexpected such as take over the kernel space. If you do, tell them about it and we'll fix it. It's becoming very very hard to break out of that jail.

This is in huge contrast to the Windows kernel. Jus

Re:

[SivDotnet]

So where's the great assertion that open source code is being eyeballed by millions of users so that it's intrinsically better than closed source as all these viewers would spot the error and report it or fix it if this has been in the kernel for many years and as yet unfixed.

I think in reality Open source has many users but very few are capable of reading the code and spotting the errors any more than the equivalent Windows users are, so the whole premise that Open Source code is any better than closed sou

Re:

[sad_]

I think in reality Open source has many users but very few are capable of reading the code and spotting the errors any more than the equivalent Windows users are, so the whole premise that Open Source code is any better than closed source code is a fallacy!

windows has many users, but very few are capable of reading code and spotting errors, too bad they can't fix it. At least on Linux, as few knowledgable people that may be using it, they have that option.

Spoiler warning

[fibonacci8]

From the Shakespeare AU where Othello encounters the Wierd Sisters from Macbeth?

Re:

[Yvan256]

Mac user: Oh yeah? Let me see...
(open Contacts application)
Mac user: You're right, I don't know anyone named Jack.

Re:

[Hylandr]

Back Oriface.

Just saying.

Bug discovered, 4 days later, patch released.

[Anonymous Coward]

The real story here, is that 4 days after the vulnerability was made known to the devs, a patch was released.

Re:

[Abu of unruley kids]

^ This

Re:

[Anonymous Coward]

No. That's the story you want people to talk about as a distraction to the real story. "Look guys. As soon as someone bothered to actually check the code we fixed it so fast!!" SO FAST!!!

Re:

[Abu of unruley kids]

Kernel code isn't blindly put in to the code base. Linus and his trusted few do a great job, at weaving out the garbage submissions, for the most part. They aren't as affective as OpenBSD, with their useful paranoid code audits. If your concerned about future instances like this. Please contribute your time, not your tears.

Re:

[Anonymous Coward]

I'd have to use Linux to be the one crying.

Re:

[Kjella]

The real story here, is that 4 days after the vulnerability was made known to the devs, a patch was released.

Why? If no bad guys have found it the difference between four days or and three months is of little difference. If the bad guys have found it (or worse yet, planted it) the difference between five years and four days and five years and three months is also of little difference. Not the kind of casual bad guys that deal with cryptolockers and botnets and identity theft, if they found it you'd probably see it in the wild and exposed. But targeted attacks for industrial espionage and such could probably use it

Re:

[Anonymous Coward]

The point is the bad guys had no better visibility than everyone else, unlike closed source,where bad guys, by definition, will gladly steal the codebase or traffic in it, and the codemonkeys at the business are busy writing new code or fixing bugs that users have already found and complained enough about to go and do an audit of the code, which doesn't generate new income.

The whole thing shows open source or closed the problem is identical. people generally aren't looking at the code from a security perspective except those few doing security research or bad actors, both of those groups have all the code access they require.

Re:

[antdude]

I don't see it for Debian stable/Jessie so far. :P

Be careful...

[__aaclcg7560]

Give a five-year-old a nod, he'll come back with all kinds of bait-and-switch naughtiness.

bug cannot be exploited remotely

[Anonymous Coward]

If an attacker is in the same room as your system, you're already pwnd.

Re:bug cannot be exploited remotely

[bill_mcgonigle]

If an attacker is in the same room as your system, you're already pwnd.

This bug can't be exploited remotely. Other bugs can, to get a local user shell, then you stack this one on top.

They're all problems.

Re:

[KiloByte]

In 99.9% cases, if you pwn that local user, you control everything that server is doing. Applies to client machines, too.

Re:

[buchner.johannes]

You could be ssh-d into the machine as a user, and this will give you root privileges. No physical proximity needed.

The five year old ...

[CaptainDork]

... is out of intensive care and is rocking the eye patch.

it's ruining everything!

[Gravis Zero]

The vulnerability is a race condition that was discovered in the af_packet implementation in the Linux kernel

racism is ruining our country... and now our kernel too? IS NOTHING SACRED ANYMORE?! ;)

Classic TOCTTOU

[naasking]

So basically, a classic, well known TOCTTOU vulnerability [wikipedia.org].

Ho hum

[JustAnotherOldGuy]

"He said the bug cannot be exploited remotely."

In other words, "yawn". If you have physical access to a machine all bets are off.

Did Microsoft paid to write article in such way?

[NuclearCat]

This bug need CAP_NET_ADMIN privileges, which are VERY rarely enabled for typical user, because they will let you screw network configuration and sniff on traffic (which is almost equal to root privileges in our networking days)

Versions affected

[gustygolf]

In case anyone cares, this code was first introduced in Linux 3.2.

This is for those of us who use uname -r to check their kernel version, not the year it was checked out from the kernel repos.