Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Another Old Flaw Patched in Linux Kernel

A researcher has identified another potentially serious Linux kernel vulnerability that has been around for several years. The flaw was addressed in the kernel more than one week ago, but some of the affected Linux distributions have yet to release patches.

A researcher has identified another potentially serious Linux kernel vulnerability that has been around for several years. The flaw was addressed in the kernel more than one week ago, but some of the affected Linux distributions have yet to release patches.

The security hole was discovered using the syzkaller fuzzer by Positive Technologies expert Alexander Popov, who reported it to Linux kernel developers on February 28. The researcher said the vulnerability was introduced in June 2009.

The flaw, tracked as CVE-2017-2636, is a race condition in the n_hdlc driver that can lead to a double-free error. A local attacker with limited privileges can exploit the weakness to cause a denial-of-service (DoS) condition or escalate privileges.

“The vulnerability is old, so it is widespread across Linux workstations and servers,” explained Popov. “To automatically load the flawed module, an attacker needs only unprivileged user rights. Additionally, the exploit doesn’t require any special hardware.”

The security hole affects Red Hat, Ubuntu, Debian, SUSE and other distributions, but patches have not been made available for all affected versions. The bug was patched in the Linux kernel on March 7.

Until fixes become available, users can mitigate the vulnerability by manually blocking the affected module from loading. Popov says he plans on releasing a proof-of-concept (PoC) exploit once users have had the chance to update their installations.

Several of the Linux kernel flaws identified in the past months had been introduced years prior to their discovery, including CVE-2016-0728 and CVE-2016-5696, both introduced in 2012 and both affecting Linux and Android devices. An even older vulnerability, CVE-2017-6074, which came to light last month, was introduced in 2005.

Researcher Kees Cook recently analyzed the Linux kernel vulnerabilities discovered since 2011 in an effort to determine for how long they had gone unnoticed. The expert determined that the average lifespan of a security hole is roughly 5 years, with critical issues being discovered after 3.3 years and high severity bugs found after more than 6 years.

Related: “Dirty COW” Linux Kernel Exploit Seen in the Wild

Related: Google Downplays Impact of Linux Kernel Flaw on Android

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.