Loading ...
Sorry, an error occurred while loading the content.

Critical Linux vulnerability imperils users even after silent fix

Expand Messages
  • Thad Floryan
    http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/ A month after critical bug was quietly fixed, root
    Message 1 of 1 , May 18, 2013
    • 0 Attachment

      A month after critical bug was quietly fixed, "root" vulnerability

      Dan Goodin - May 15, 2013 4:44 pm UTC

      ## The name of one website cited in the following article may be very
      ## offensive to some people; to see/visit it, read the article at the
      ## above URL -- I didn't copy'n'paste that website name below nor did
      ## I include the URLs implied by the word "here" in the article. -Thad

      For more than two years, the Linux operating system has contained a
      high-severity vulnerability that gives untrusted users with restricted
      accounts nearly unfettered "root" access over machines, including
      servers running in shared Web hosting facilities and other sensitive
      environments. Surprisingly, most users remain wide open even now,
      more than a month after maintainers of the open-source OS quietly
      released an update that patched the gaping hole.

      The severity of the bug, which resides in the Linux kernel's "perf,"
      or performance counters subsystem, didn't become clear until Tuesday,
      when attack code exploiting the vulnerability became publicly
      available (note: some content on this site is not considered
      appropriate in many work environments). The new script can be used to
      take control of servers operated by many shared Web hosting providers,
      where dozens or hundreds of people have unprivileged accounts on the
      same machine. Hackers who already have limited control over a Linux
      machine—for instance, by exploiting a vulnerability in a desktop
      browser or a Web application -- can also use the bug to escalate their
      privileges to root. The flaw affects versions of the Linux kernel
      from 2.6.37 to 3.8.8 that have been compiled with the
      CONFIG_PERF_EVENTS kernel configuration option.

      "Because there's a public exploit already available, an attacker would
      simply need to download and run this exploit on a target machine," Dan
      Rosenberg, a senior security researcher at Azimuth Security, told Ars
      in an e-mail. "The exploit may not work out-of-the-box on every
      affected machine, in which case it would require some fairly
      straightforward tweaks (for someone with exploit development
      experience) to work properly."

      The fix to the Linux kernel was published last month. Its
      documentation did not mention that the code patched a critical
      vulnerability that could jeopardize the security of organizations
      running Linux in highly sensitive environments. This lack of security
      advisories has been standard practice for years among Linus Torvalds
      and other developers of the Linux kernel -- and has occasionally been
      the subject of intense criticism from some in security circles.

      Now that a fix is available in the kernel, it will be folded into all
      of the affected stable kernel releases offered by kernel.org, which
      maintains the Linux core code. Individual distributions are expected
      to apply the fix to their kernels and publish security updates in the
      coming days.

      Additional details of the bug are available here, here, here, and
      here. People running vulnerable machines with untrusted user accounts
      should check with their distributors to find out when a patch will be
      available and what steps can be taken in the meantime. One user of a
      Red Hat Linux distribution posted temporary mitigation steps here,
      although at time of writing, Ars was unable to confirm that they
      worked. Readers are encouraged to post other mitigation advice in
    Your message has been successfully submitted and would be delivered to recipients shortly.