Pinterest Stumbleupon Whatsapp
Advertisement

Android phones, and Linux desktops and servers all share a common ancestry. They’re all based on a common kernel, and share common utilities and components. Whenever a security vulnerability is found in these areas, the contagion is massive, and hundreds of millions of computers and mobile devices will inevitably be affected.

A recently discovered vulnerability (CVE-2016-0728) in the Linux kernel is an astonishing example of this. It takes advantage of a flaw in the OS keyring, and would allow any unprivileged attacker or user to gain root access to the system in question. Here’s how it works, and what you need to be wary of.

Understanding This Vulnerability

This vulnerability was discovered by Perception Point – a major Tel Aviv based information security consultancy firm. The flaw was first introduced around three years ago, with the release of the Linux Kernel The Linux Kernel: An Explanation In Layman's Terms The Linux Kernel: An Explanation In Layman's Terms There is only one de facto thing that Linux distributions have in common: the Linux kernel. But while it's often talked about, a lot of people don't really know exactly what it does. Read More version 3.8. Perception Point estimate that around two-thirds of Android devices, and an unknowable amount of Linux desktops and servers (probably in the tens of millions) are vulnerable.

As previously mentioned, this flaw is found in the OS keyring. This is the component used in Linux which allows drivers to cache security data, such as encryption keys and authentication tokens. By design, the data held in the OS keyring shouldn’t be accessible to other applications.

passwordfile

The exploit itself takes advantage of a flaw with how memory is managed in the OS Keyring. By executing a buffer overflow, the attackers can trigger the operating system to running some arbitrary shellcode, which would be executed as root.

Advertisement

It’s expected that the majority of Linux distributions will issue fixes by the start of next week. But if you’ve got a modern Intel processor (Broadwell or later), SMAP (Supervisory Mode Access Prevention) and SMEP (Supervisory Mode Execution Prevention) should be enabled, and will limit the damage this vulnerability can inflict.

Meanwhile, if you’re on Android, SELinux should likewise do the trick. It’s worth pointing out that Google has vehemently downplayed the risks presented by this vulnerability. In a statement, they said that all devices running Android 5.0 Lollipop and later are protected by SELinux, and the majority of older devices (running Android 4.4 KitKat and earlier) do not contain the vulnerable code that was introduced in version 3.8 of the Linux Kernel.

The Android Security Team also complained that they weren’t given notice to issue a patch. Essentially, they said that the Perception Point didn’t perform responsible disclosure Full or Responsible Disclosure: How Security Vulnerabilities Are Disclosed Full or Responsible Disclosure: How Security Vulnerabilities Are Disclosed Security vulnerabilities in popular software packages are discovered all the time, but how are they reported to developers, and how do hackers learn about vulnerabilities that they can exploit? Read More .

Essentially, they’re not saying there isn’t a problem, but that it affects a much smaller proportion of Android devices as was earlier claimed by Perception Point. Despite that, they’re issuing a fix, which when released, should close this gaping vulnerability once and for all.

Checking Your Privilege

One of the most fundamental principles of computer security can be succinctly summed up as: not all users should be able to do all things at all times.

If a user was perpetually logged in as root, or administrator, it would be significantly easier for a piece of malware or a remote attacker to cause significant damage. It is for this reason why most users and applications exist in a restricted mode with limited permissions. When they want to do something that could result in damage to the computer – such as install a new program or change an important configuration file – they must first elevate their privileges. This concept is universal, and can be found of virtually every operating system.

Suppose someone is logged into a Linux or Mac computer with an administrator account, and they wish to edit their hosts How To Edit The Mac OS X Hosts File (And Why You Might Want To) How To Edit The Mac OS X Hosts File (And Why You Might Want To) The hosts file is used by your computer to map hostnames to IP addresses. By adding or removing lines to your hosts file you can change where certain domains will point when you access them... Read More file to remap a hostname to a local IP address. If they just try to open it immediate with a text editor, the operating system will return with an error message saying something like “access denied”.

To make it work, they’d have to elevate their privileges. They can enter superuser mode indefinitely What Is SU & Why Is It Important to Using Linux Effectively? What Is SU & Why Is It Important to Using Linux Effectively? The Linux SU or root user account is a powerful tool that can be helpful when used correctly or devastating if used recklessly. Let's look at why you should be responsible when using SU. Read More by running “sudo su”. This is helpful if they’re going to be running a series of restricted actions, over an unspecified amount of time. To exit this mode and return to the normal user account, simply use the “exit” command.

To run just one command as super user, just preface that command with “sudo”. Using the example of the hosts file, you can edit it with “sudo vim etc/hosts”. You will then be prompted for your password. If the account doesn’t have administrator privileges (i.e. is a standard user account), the command will fail to work.

On Android, they have a fundamentally different model of permissions, where applications are atomized and sandboxed, and users can make limited under-the-hood changes. Users are actively discouraged from gaining access to the root. It’s for this reason why most carriers and manufacturers (with HTC among the exceptions How To Root Your First Generation HTC One How To Root Your First Generation HTC One Unusually, there are no special utilities that enable this – instead, you must use HTC's approved rooting method. Read More ) actively discourage users from rooting their phones, and why it’s become a bit of a “dark art”.

Windows too has its own system of elevated privileges. Whenever a program makes a change to the system which requires enhanced permissions, Windows will prompt the user with a UAC window (User Access Control). This shows the program that’s requesting elevated permissions. If the code has been given a cryptographic signature, it’ll show who signed it, allowing you to spot impostor programs. The user can then choose to give the program the permissions requested, or decline.

UAC

While this process is not without its flaws (UAC windows are regarded as rather annoying Stop Annoying UAC Prompts - How To Create A User Account Control Whitelist [Windows] Stop Annoying UAC Prompts - How To Create A User Account Control Whitelist [Windows] Ever since Vista, we Windows users have been pestered, bugged, annoyed, and tired of the User Account Control (UAC) prompt telling us a program is starting up that we intentionally launched. Sure, it has improved,... Read More , and are generally just ‘clicked away’, for instance), it’s one that generally works. However, it can be easily circumvented by flaws in the operating system, much like the one identified by Perception Point.

Increasing Threats to Linux Devices

In recent years, we’ve seen a deluge of attacks targeting Linux-based operating systems, as it cements its hold on the server market, and increases its market share on the desktop.

Recently, researcher in Russia discovered a Remote Access Trojan How To Simply and Effectively Deal With Remote Access Trojans How To Simply and Effectively Deal With Remote Access Trojans Smell a RAT? If you think you've been infected with a Remote Access Trojan, you can get easily get rid of it by following these simple steps. Read More that was designed to help an attacker spy on users. Called Linux.Ekoms.1, the Trojan takes a screenshot every 30 seconds and saves it in a temporary folder as a JPEG disguised with a different file extension. Further analysis of the Trojan revealed that the developers were working on features that would allow it to record audio. These files would then be sent to a remote server. The attackers would also be able to issue commands through a command-and-control server.

Another rootkit for Linux – called Snakso-A – targeted 64-bit Linux webservers, and silently hijacked the webpages that were being served, in order to inject a malware-serving iFrame.

Crypt

Then, of course, there are the vulnerabilities which were so severe, they became international news. I’m talking about the likes of Shellshock Worse Than Heartbleed? Meet ShellShock: A New Security Threat For OS X and Linux Worse Than Heartbleed? Meet ShellShock: A New Security Threat For OS X and Linux Read More , the GHOST vulnerability The Linux Ghost Flaw: Everything You Need To Know The Linux Ghost Flaw: Everything You Need To Know The GHOST vulnerability is a flaw in a vital part of every major Linux distro. It could, in theory, allow hackers to take control of computers without the need for a username or password. Read More , and Heartbleed Heartbleed – What Can You Do To Stay Safe? Heartbleed – What Can You Do To Stay Safe? Read More .

These threats are generally resolved in an expedient manner by the maintainers and the developers of the Linux components they effect. However, in recent months, their ability to do so has been put under question, as a result of funding and staffing shortages, leading some to question whether Linux has been a victim of its own success Has Linux Been A Victim of Its Own Success? Has Linux Been A Victim of Its Own Success? Why did Linux Foundation head, Jim Zemlin, recently say that the "golden age of Linux" might soon come to an end? Has the mission to "promote, protect and advance Linux" failed? Read More .

Check for Updates

Over the next few days, the majority of Linux distributions will be issuing patches, as will Google for Android. You’re advised to regularly check your package manager for updates.

Has this vulnerability made you question whether you should continue to use Linux? Tell me about it in the comments below.   

Photo Credits: Crypt (Christian Ditaputratama), PasswordFile (Christiaan Colen)

Leave a Reply

Your email address will not be published. Required fields are marked *