It’s the end of the world. Again. According to some Linux developers and security researchers, a bug in the Linux kernel has just been uncovered that makes just about every distribution utilizing kernel 2.4 and 2.6 on just about all architectures since May of 2001 vulnerable to a certain kind of attack.I’m not any sort of developer, so basically all of this makes no sense to me except that
whatevercomprises the aforementioned bug allows an attacker to escalate local
privileges and completely compromise the entire system. Julien Tinnes, a security
researcher who does know his way around kernel code, wrote the following details about the bug.
At first sight, the code in af_ipx.c looks correct and seems to initialize .sendpage properly. However, due to a bug in the SOCKOPS_WRAP macro, sock_sendpage will not be initialized. This code is very fragile and there are many other protocols where proto_ops are not correctly initialized at all (vulnerable even without the bug in SOCKOPS_WRAP)…Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit: an attacker can just put code in the first page that will get executed with kernel privileges.Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit: an attacker can just put code in the first page that will get executed with kernel privileges.
Rodney Taylor, from security research at Secorix, said that the bug “passes my it’s-not-crying-wolf test so far,” and that he’d definitely check his enterprise Linux systems (providing he had any), see if it was related, and see if he needed to get a patch.
Lucky for us, there already is a patch, and it should be implemented into all future kernels from here on out.
Makes me happy to be alive.
It looks like it could be pretty serious, but at least it requires a local account to escalate privileges from in the first place.
Still a big deal, but not the end of the world.
These kind of bugs happens often in the Linux kernel. What makes this one special is the fact that virtually _all_ versions since 2.4 are affected.
This means that as long it is not patched, a huge majority of linux machines might be vulnerable, making an attack more likely to succeed…
Its the same reason why so many malware exist on windows: as soon as you right a malware for it, you know you can affect a vast majority of machines.
Windows popularity may relate to the number of attempts against it but the more important thing to consider is number of successful attacks and how long they remain effective. A hundred attacks is not a problem; 90 of those attacks being successful and remaining unpatched while known is a real problem.
The “Windows only has high malware counts because it’s popular” myth tends to oversimplify and ignore the fact that success rates for those attacks remain high also.
I don’t think actively-exploited vulnerabilities go unpatched for a long time. More often than not, the mass of exploitation occurs a few months after the patch has been released, as malware authors determine what’s vulnerable from BinDiffing the patched binary against the original.
This also assumes systems are actively being patched and things like UAC flaws are not a “feature” ignored by the vendor. Or that flaws in the network driver are publickly denounced while leaving the customer base wide open for six months then quietly slipping a patch out.
We’re still consistently seeing faster patch times on other platforms and more interest in addressing reported vulnerabilities. Attempts are not relevant, success rates and time to live are much more important.
More recent kernels have a protection against this exploit, if they contain the mmap_min_addr feature is set correctly.
You can check your kernel via this:
# cat /proc/sys/vm mmap_min_addr
65536
While we have not gotten any official word from Redhat, I did some spot checking and it looks like RHEL 4.8, RHEL 5.2, and RHEL 5.3 have this parameter set correctly.
But, beware, any use of SELinux will bypass the protections given by this kernel feature.
Are you being sarcastic about SELinux, or does enabling it somehow disable the mmap-min-address countermeasure?
No, he isn’t.
SELinux does disable that for its own secret reasons.
Anyways what strikes me is that nobody noticed before. Trying to allocate the 0th page sounds like something that would happen often(in buggy code) and that would sound many alarms if successful. Especially as we know it would fail on some systems.
All the exploit is a bit unbelievable but that particular point is amazing.
Yeah, its useful for embedded systems somehow. So that’s why its not an automatic crash in Linux. I remember this issue coming up a while ago, but not the specific reason why.
What I find interesting about this is that every linux fanboy usually argument that WinXP is insecure because it run as admin by default. (personally I find that argument bogus since it does not take into account the value of the “to be protected” content, but that is another discussion).
Now, since this Linux vulnerability pretty much says “assuming that I have local access I can get root for free”, won’t that in practice mean that every remote exploit in any common user level application (including server applications) is in practice a remote root exploit for the last 8 years? Considering that after you compromised the local user account through an appplication level exploit you can further gain root access on every linux release for the last 8 years…not unlike exploiting a user level application on WinXP and gaining admin privileges?
My point is that this vulnerability may appear to be harmless since it “requires local access”, but won’t this have a deeper significance since the whole “linux is more secure than winxp because winxp run as admin by default” argument pretty much is dead, considering that this vulnerability existed for the same 8 years as the winxp issue?
Just my 2c.
Edited 2009-08-14 05:04 UTC
True, but now Linux fan boys like me can take a different tack: The Worst Bug Ever in Linux is patched. UAC still has a gaping intentional loophole so Microsoft can let Notepad.exe run as admin. When a security hole is found in Linux, it gets fixed. When one is found in Windows, Microsoft either clam up, blame the users, or issue a patch years late.
LMFAO. Nice wording.
Admitting to being a fanboy while proving a point is always funny. [No real arguments against your point, though.]
Edited 2009-08-14 05:37 UTC
The problem is you think that *this* is the worst bug ever found.
You don’t know what you don’t know. There could be plenty more egregious ones out there, ones that can rival Windows ones.
It may be the worst bug found so far.
And there could be plenty more egregious ones in Windows that haven’t been discovered aswell.
Well done for making a non-point.
No this is not the worst by far. It is a privilege escalation bug, that’s pretty common and not that dangerous to the common linux user. It only makes trojans more dangerous, but the virus’es and trojans has to get in first. This is mainly means local users can get more privileges, but local users are usually employees or device owners.
No, the most serious bug in Linux was the big one in ssh, which allowed remote access to most linux server (used in Matrix 2, btw).
That wasn’t a kernel bug, and wasn’t even a bug that effected upstream – you didn’t even realize it was actually SSL, not SSH…
That bug was specific to distros based on Debian, because the maintainer of SSL decided to cut corners to make maintenance easier for himself.
Anyway, when Microsoft finally patches the UAC bug that allows escalated privileges – apparently by design – then Windows users can feel free to point at things like this in Linux.
Since Microsoft has stated the flaw is there on purpose, it’ll never get patched… this flaw is already patched, it just needs to be applied to current installations.
No I am talking about another much older vulnerbility. Note I said the bug was featured in Matrix 2 as a way of hacking? It was discovered in 2001 or 2002, and compromised ssh upstream, making not only linux but even openbsd vulnerable.
Edited 2009-08-16 16:32 UTC
Your FUD / lies about Windows aren’t appreciated.
There are no known bugs that allow privilege escalation across security boundaries on Windows. A standard user account cannot attain admin privileges without admin credentials. And there are no known vectors for going from Low IL to Medium/High IL without user consent in the default configuration (there are medium -> high vectors on Win7, but they’re by design – an option exists to disable them in the UAC control panel. But for most users that is a non-issue. Running High IL apps on the same desktop is risky to begin with since ILs are not a security boundary).
You completely misunderstand UAC if you think that is the case.
Running apps with different privileges on the same desktop is risky on all major OSes. But it’s actually less risky on Windows than on most other OSes thanks to the secure desktop consent prompt (much safer than the non-SAS password model used on most *nix OSes and OS X), UIPI, etc.
Still, on any OS, if you’re super paranoid then you’re best off using separate user accounts and avoiding sudo / UAC like mechanisms.
How is XP relevant to the Linux bug kernel being patched? Why go into snippets of opinions on a ongoing debate? All that matters is, it got fixed/patched. Even though this was Linux, it’s still an eye opener for the industry in hole.
Hmm.. You would be right if it was a bug that was KNOWN for 8 years. Fact is – this bug is only discovered a short while ago and is already being taken care of…
I am sure there are a LOT of yet undiscovered bugs in EVERY OS now at this moment! If you are using Windows, OSX, Beos, BSD or whatever there WILL be undiscovered bugs in it – waiting to be exploited. No OS will escape that.
The problem is – you cannot use undiscovered vulnerability because – its undiscovered. Simple. So saying Linux was vulnerable for 8 years is simply not true, because to use this as a exploit you have to know it exists. And nobody know about it until very recently.
To put it differently – if you are saying Linux was vulnerable for 8 years, I can safely claim ever OS on this planet is absolutely 100% unsafe because there are bugs in it that have been not discovered yet. Nobody knows about them or how they will work, but they are there, so they can be exploited right at this moment!
I am not saying Linux is more safe because it is perfect. No – Linux is safe because the moment something like this is discovered it is published and everybody is going to work on it to solve the problem as soon as possible.
Sorry – I had to react to this…
That is a valid point, however, the fact that it was just published does not mean that no one else have known about it for years.
But I do see your point.
That’s not quite true. Bugs that are not *public* might and are often already discovered and exploited by a few individuals only. It can stay like this for years.
There’s not much you can do against it.
You can scratch your design and make one less bug-prone, or invent something no one else thought about that’s 100% secure (good luck with that)
Meanwhile we patch and do our best to make things as secure as possible
edit: note that this is 100% true with Windows, MacOSX and what-not as well
Edited 2009-08-14 09:44 UTC
Since this flaw required local user access to exploit, I’m not sure it would have been very effective even before the patch?
… All of this was true, it this exploit was a known exploit, and the Linux kernel devs decided to simply ignore it for the past 8 years.
As far as we -know- (and I’ll ignore any type of non-educated guess or unfounded speculations), once Linus was aware of this vulnerability, a fix was issued within 2 hours.
So unless anyone has solid evidence that one of the Linux devs was aware of this vulnerability and somehow refused to fix it (why!?!?), the 8 years that passed since the introduction of the code that caused this vulnerability is meaningless. I’d assume that both Linux and Windows have vulnerabilities that date back to Linux 2.0 and Windows NT 3.1…
However, I’d point to you what we know – as in previous known track record:
On one hand, MS refuses to fix the UAC escalation problem and on the other, Linux vulnerabilities are usually patched within a day – if not hours (If you’ve used RHEL you know what I mean).
… Oh, and unlike Microsoft, a fix will most likely land in all the effected kernel trees (as far as 2.0 if it was required) and not just the latest (2.6) kernel tree.
Would have Microsoft released a similar fix for Windows 2000 – or even Windows NT 4.0, if such a long term vulnerability was found in all NT kernel since 4.0? I somehow doubt it.
– Gilboa
I think that you may be wrong.
This has nothing to do with MS, and why should MS fix NT 4.0 in the same situation? It is much older than anything that should be in use in the linux community, seeing as this exploit exists in 2.6 and 2.4, and updates are no longer being applied to the 2.2 kernel, which last saw a change in 2005.
I really doubt that anybody would bother patching such an old kernel, when upgrading to 2.4 would be a better plan anyway. Anybody still running such an old kernel (the same as running NT 4.0) is such a small percentage of their users, that the work runs into a serious amount of effort for no good reason.
As far as I remember, the 2.2 tree was active up until 2005 when the last maintainer left.
But never the less, given the fact that Linux is open source, if your embedded system depends on Linux 2.2, nothing stops your from taking the code and doing it yourself. (Did it myself)
However, if your embedded system requires Windows NT 4.0 (and you’ll be amazed how many system still using NT 4.0), and MS refuses to patch the OS, you are screwed.
– Gilboa
A good point. But then again the reality hits you.
As a wild idea, imagine yourself and few co-workers maintaining the 2.6 branch even for a year. That is one reason why Linux is increasingly a no-no where I work.
Nevertheless, I applaud all who still work with the 2.4.
I take this opportunity to also note that the talk below (in all its infancy) about the Linux kernel has a tiny drop of truth in it, too. There is a reason why hardcore security people like Solar Designer stick with the 2.4 kernels.
Edited 2009-08-15 13:57 UTC
The last update for NT 4 came in 2003, Kernel 2.2 for Linux in 2005. MS didn’t stop updating critical bugs all that long before the kernel devs stopped updating 2.2
I also mentioned the 2.2 kernel was updated in 2005, but really, how likely that most organizations have a kernel hacker on staff to patch old crap like that?
Not that likely, in most small or medium organizations.
The fact that a person or organization can patch the kernel does not mean that they have the capabilities.
Not really, WinXP still runs the user as admin unless you have an AD server. Nothing has changed. A flaw in the kernel of a different platform doesn’t magically make this design fault in Windows go away.
In this case, Linux will be patched very quickly now that the fault is known. This very news article comes out after the bug patch is available. Now it’s a matter of how fast the distributions can include the new kernel update.
Nothing fanboyish about it. I can still easily get admin on a windows box through known exploits where this exploit in a different platform will be addressed instead of called a “feature”.
If running as admin wasn’t a problem why, as of Vista, has Windows itself move away from this. You do understand that if you are running as admin, EVERYTHING that runs is running as admin. On any OS, that should scare you. Especially one where things are installed from random locations (i.e. not trusted repositories only). This Linux bug will be closed, and no doubt there will be others and they will also be closed, but no OS should just hand out admin without even trying to defend it.
There is a difference between trying to do the right thing and failing occasionally, and never trying at all.
Who do you want to design the next nuclear power plan in your back yard, a guy with years of experience in nuclear design and operation who, like many people occasionally make mistakes, or someone with an associates degree in marketing who doesn’t believe radiation is a problem ?
If the expert screws up and kills everyone, your just as dead as if the marketing guy had done it. But, given the choice, I’d still rather go with the expert. Cleaver mistakes are always more interesting than obvious ones. It will make the investigation into the accident more interesting for the survivors. It will give them something to focus on, to dull the radiation induced pain.
i mean, why even bother fixing? just remove ipx, no one uses it nowadays (and by no one i mean likely 99.999% users)
99.999% is a lot more than ‘no one’ – wouldn’t 0.001% be closer?
I think he means 99.999999% do not use it…
Use some logic before posting.
Let’s put this into perspective.
Mac OS X had an easy local root vulnerability from 2000 to 2008. Apple was warned about it by their own staff member in 2004, and it was discovered outside Apple in 2006 or 2007 (I forget which year).
Apple patched it in August 2008.
The Linux kernel had an easy local root vulnerability from 2001 to 2009. The kernel team was warned about it recently and they fixed it before word got out to the public.
Apple’s vulnerability could be exploited by a non-programmer and a single line of Applescript, the Linux vulnerability can be exploited by a programmer and some lines of C.
In short, Linux is not flawless, but it’s in MUCH better shape than the proprietary desktop competition.
I am rather intruiged by the exploit code – I wonder if I could somehow use it to hack my embedded Linux devices?
What difference does that make? Whether the tool that makes use of the exploit is written C or Applescript – once it has been created added to some sort of toolset or worm, any skiddie can use it.
It’s not a lot of difference. Even I can exploit the former, but I can’t exploit the latter.
And that’s what I always say [although I have one machine with linux, among other machines with other OSs]:
linux kernel is a mess and it makes it a real pain in the ass. You can’t have a trust in a mess, unfortunately.
Code quality is something that should have the highest priority. That would eliminate most of the serious bugs.
Show me how the Linux kernel is a mess. Do you even know what the hell you’re talking about?
Instead of listening to him, how about listening to the real Linux kernel developers?
How about Andrew Morton?
http://lwn.net/Articles/285088/
Q: Is it your opinion that the quality of the kernel is in decline? Most developers seem to be pretty sanguine about the overall quality problem…
A: I used to think it was in decline, and I think that I might think that it still is. I see so many regressions which we never fix.
Or Dave Jones?
http://www.kroah.com/log/linux/ols_2006_keynote.html
“Last year Dave Jones told everyone that the kernel was going to pieces, with loads of bugs being found and no end in sight.”
Maybe you have missed the discussion where Alan Cox quits as a developer because Alan argues that the Linux regressions should be fixed correctly, which may break user applications? And Linus says that if user applications breaks, then you should not fix that Kernel issue correctly. Instead you should preserve the old behavior so user apps doesnt break. Alan complains on the Linux bugs, Linus says he shouldnt mind them.
http://lkml.org/lkml/2009/7/24/182
http://lkml.org/lkml/2009/7/28/375
“Quite frankly, I don’t understand why I should even have to bring these issues up. You should have tried to fix the problem immediately, without arguing against fixing the kernel. Without blaming user space. Without making idiotic excuses for bad kernel behavior.
The fact is, breaking regular user applications is simply not acceptable. Trying to blame kernel breakage on the app being “buggy” is not ok. And arguing for almost a week against fixing it – that’s just crazy.
Linus”
Couple this with Linux constantly evolving API/ABIs and you have stability problems. Whenever Linus rewrites big part of the code (which he does frequently, “Linux has no design, it evolves constantly like biology”) you introduce new bugs. Some say that it takes Service Pack 1 to iron out the most pressing bugs in Windows. What would happen if Windows were rewritten all the time? The bugs would never be squashed. You debug some code, and suddenly it is rewritten and you have new bugs, etc, ad naseum. So you have problems with Linux being buggy and scaling bad on Big Iron. Admittedly, a stripped down Linux with no luggage, scales well on large clusters, which is basically a bunch of computers on a network – like those on top500. But Big Iron is another thing, there Linux scales bad.
IIR that issue correctly you got it the wrong way around. It was Cox who broke it and Torvalds that was against breaking it!
Additionally some random quotes are not a prove of anything, especially in this case as that bug is there for a long time.
As I understood it, Cox submitted a patch that corrected a strange behavior in the Linux kernel. Linus rejected the patch as it broke apps. Cox argued that the kernel should be corrected, as it behaved strangely. Linus didnt agree, the patch should be modified.
And what OS are your other machines running?
I didn’t intend to sound offensive. I just pointed out some simple facts that come from my own experience.
I also don’t think it’s that much important what kind of OSs I choose to run my other machines, but if you’re really interrested: mostly OpenBSD, FreeBSD and Haiku [it’s in a very early stage of development and it SERIOUSLY lacks good security mechanisms for now, but I run it succesfully on one of my desktop machines, with couple of tricks of course and it’s pretty stable, fast, cohesive and well written]. I used to run other OSs in the past, but I don’t actually make any use of them anymore.
Regards
When it comes to Linux and vulnerabilities I’m just not worried because I know the kernel hackers will fix it very fast as they have always been doing it.
The kernel and the developers always have impressed me with their work and fast fixes, I know this wont be a different case, and in the end we have a stronger kernel
.
Yes, once they (kernel devs) know about issues, they (the issues) tend to get fixed right away.
Unfortunately, in this case, it took 8 years, including two major kernel releases, and umpteen minor kernel releases, to find the issue.
On the bright side, it doesn’t look like this was exploited too much in the wild.
I would have to say that, on this one, everyone was *extremely* lucky. This could have been a lot worse.
Edited 2009-08-14 18:40 UTC
Software has bugs.
The exploits I’ve seen so far rely on pulseaudio being present which isn’t the case for many distro’s. (especially in server installs)
And even it is present it doesn’t automatically work as a quick test on a Ubuntu9.04 showed.
More elaborate exploits with less dependencies will surely be published but for now it still requires some luck to be on a Linux where the published exploits work as advertised.
Even before reading the article I knew what the take of the Linux apologists would be.
Instead of sticking to the subject, and be glad that a patch was done for the issue, they, like always, have to go back and blame Windows for something.
People, get your own life and grow up!
Take a look at the parent comments and tell me who started to blame who.
Linux advocacy is funny that way.
When you’ve seen enough of it, you either grow a talent of seeing through it and skipping the idiotism, get overly depressed, or go with the crowd; when something critical is said or discovered about your beloved one, shut your eyes, and just Microsoft yada Groklaw yada BSD bad yada yada Ubuntu yada yada yada.
What is there to be critical of? A bit of software had a bug discovered. The important thing is how long that bug remained known before the update became available. Simply counting bugs is the pastime of people with little true security and design understanding.
Bug reported in morning news along with patch (0730 EST). Debian kernel update available and applied (16:30 EST).
That’s not all distributions but patch times is how one measures the quality of a general use distribution.
So, where is the grievous apologist back peddling? Where is the straying off topic and undue griefing?
Did you actually read the parent post?
He wondered why a news with Linux kernel vulnerability in its title attains comments related to Windows XP.
A legitimate question to which I sarcastically replied that it seems to be the common way things are handled by the Linux advocacy camp in the public internet forums. (I have no idea what was the question you answered.)
You inspired me to go back and check that I had not missread.
http://www.osnews.com/comments/21993?view=flat&sort=&threshold=0
2009/08/14 16:12 – Big Gie – this is the first mention of Windows in a platform neutral comparison intending to illistrate how serious a vulnerability exploitable across the major kernel versions in use today could be. It simply makes the example accessible to those more familiar with Windows without suggesting some kind of deficiency in the reader.
2009/08/14 17:02 – JR – Title is “WinXP” and fires the first shots of hostility from the Windows fan camp with accusations that this bug somehow negates the “more secure by design” benefit to most Unix like platforms.
JR’s post starting this thread suggests that it would be Linux “Apoligists” who fire the first shot and can’t focus on anything outside of blaming Windows unrelated to the actual article.
I was not originally replying to your comment but since you bring it up, you then further support this prejudgment by suggesting that only/all Linux folk close there eyes and ignore any faults in there preferred platform in favor of slamming other platforms. The point of value is your suggestion that many people learn to filter out the tripe and focus on more valuable points.
Most of the comments where actually about the implications of this bug, how long it will take for updated kernels to become generally available and ways to mitigate the risk of exploitation through it. Discussions about windows where more often in response to someone fanboy accusations or limited understanding of platform design.
I find it funny that both sides are attempting to make milage out of something that says very little as to whether something is more or less secure.
What this does show, however, is the idea of ‘many eyes’ is a myth; the best parallel to the ‘many eyes’ myth is equal to that of the ‘mythical man month’ (where people assume that more programmers equal getting to a destination faster when in reality it can slow it down).
Linux isn’t the first though; there are many other projects that have had the same sort of thing occur – end of the day, software is written by fallible humans and mistakes will happen.
The exploit dies on my system. This is the reason I use Grsecurity/PaX. Who knows how many times this vulnerability has been exploited in past. I don’t care if you use Windows, OSX, or Linux, layered security is a necessary component of any general purpose system.
I have a few sites with the web-hotel Servage. The whole cluster got hit and defaced all my sites. my friends business site got defaced too.
None of my sites were affected by sql-injections. the attacker somehow managed to get to the hypervisor (or?)
Can’t recommend Servage to anyone.