Security Experts:

Another Old Flaw Patched in Linux Kernel

A researcher has identified another potentially serious Linux kernel vulnerability that has been around for several years. The flaw was addressed in the kernel more than one week ago, but some of the affected Linux distributions have yet to release patches.

The security hole was discovered using the syzkaller fuzzer by Positive Technologies expert Alexander Popov, who reported it to Linux kernel developers on February 28. The researcher said the vulnerability was introduced in June 2009.

The flaw, tracked as CVE-2017-2636, is a race condition in the n_hdlc driver that can lead to a double-free error. A local attacker with limited privileges can exploit the weakness to cause a denial-of-service (DoS) condition or escalate privileges.

"The vulnerability is old, so it is widespread across Linux workstations and servers,” explained Popov. “To automatically load the flawed module, an attacker needs only unprivileged user rights. Additionally, the exploit doesn't require any special hardware.”

The security hole affects Red Hat, Ubuntu, Debian, SUSE and other distributions, but patches have not been made available for all affected versions. The bug was patched in the Linux kernel on March 7.

Until fixes become available, users can mitigate the vulnerability by manually blocking the affected module from loading. Popov says he plans on releasing a proof-of-concept (PoC) exploit once users have had the chance to update their installations.

Several of the Linux kernel flaws identified in the past months had been introduced years prior to their discovery, including CVE-2016-0728 and CVE-2016-5696, both introduced in 2012 and both affecting Linux and Android devices. An even older vulnerability, CVE-2017-6074, which came to light last month, was introduced in 2005.

Researcher Kees Cook recently analyzed the Linux kernel vulnerabilities discovered since 2011 in an effort to determine for how long they had gone unnoticed. The expert determined that the average lifespan of a security hole is roughly 5 years, with critical issues being discovered after 3.3 years and high severity bugs found after more than 6 years.

Related: "Dirty COW" Linux Kernel Exploit Seen in the Wild

Related: Google Downplays Impact of Linux Kernel Flaw on Android

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.