In-brief: Software updates were released to address a serious and exploitable security flaw in the Linux kernel on Tuesday. The issue, in a feature called keyring, could impact embedded systems as well as mobile devices.
Software updates were released to address a serious and exploitable security flaw in the Linux kernel on Tuesday.
The bug, in a common Linux component called “keyring” has broad reach, affecting many versions of the Android mobile operating system, as well as embedded devices on the Internet of Things that run versions of the Linux, according to researchers at the security firm Perception Point, which discovered the hole. The vulnerability has been assigned the identifier CVE-2016-0728.
In a blog post, Perception Point described the vulnerability as a zero-day local privilege escalation vulnerability in the Linux kernel that has existed since 2012. “This vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets),” the company said.
In an interview with The Security Ledger, Perception Point CEO Yevgeny Pats said that the vulnerability, CVE-2016-0728, is caused by a programming error in code that is part of the keyring facility, a feature of the Linux kernel that provides a way for drivers to retain or cache security data including authentication and encryption keys in the kernel.
[Read Security Ledger coverage of issues facing the Linux operating system here.]
The flaw was discovered by Perception Point researchers who were developing a Linux software client for the company’s software. “Our research team looked into (the bug) and saw that it can cause a privilege escalation on the device,” Pats said.
The keyring feature is a core component of the Linux kernel starting with the 3.8 release. As a result, the vulnerability is “platform agnostic,” Pats said. It affects both 32-bit and 64-bit systems that use that kernel. Any version of Android starting with the KitKat release contains the vulnerability as does any embedded real-time OS (RTOS) that relies on the 3.8 kernel – or later.
The flaw is a common one: a so-called “integer overflow” vulnerability in which a field used to store a reference count for a keyring object isn’t properly checked to prevent overflowing the ‘use count’ field, allowing it to wrap around to 0.
“If a process causes the kernel to leak 0x100000000 references to the same object, it can later cause the kernel to think the object is no longer referenced and consequently free the object,” perception point wrote. “If the same process holds another legitimate reference and uses it after the kernel freed the object, it will cause the kernel to reference a deallocated or reallocated piece of memory. Attackers could use that predictable “use after free” behavior to force the system to execute malicious code.
To exploit the hole, an attacker would simply need to establish low-privileged access to an affected system. On an Android phone, this could be by way of an Android mobile application. In a more traditional environment, it might require physical or logical access to the system. Once logged in with low privileges, the vulnerability could be used to escalate the user’s privileges, gaining administrator level access to the vulnerable system.
Perception Point has coordinated with leading Linux distributions to patch the issue, including Red Hat, which issued two patches addressing the kernel vulnerability early Tuesday. Red Hat rated the issue “moderate.” The company also published an analysis of the flaw including proof of concept code.
Security flaws in core components of the Linux operating system have the potential to affect a wide range of devices, as more companies turn to the open source operating system to power connected devices.