Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Project Zero Discloses New Linux Kernel Flaw

Google Project Zero this week disclosed the details and released a proof-of-concept (PoC) exploit for a potentially serious Linux kernel vulnerability.

Google Project Zero this week disclosed the details and released a proof-of-concept (PoC) exploit for a potentially serious Linux kernel vulnerability.

The flaw, tracked as CVE-2018-17182 and assigned a severity rating of “high,” was discovered by Google Project Zero’s Jann Horn. The security hole is a use-after-free introduced in August 2014 with the release of version 3.16 of the Linux kernel.

Use-after-free vulnerabilities can typically be exploited to corrupt data in memory, cause a process to crash (i.e. DoS attack), and execute arbitrary code or commands.

In the case of CVE-2018-17182, Horn says an attacker could run an arbitrary binary with root privileges. The PoC exploit made available by the researcher can help an attacker gain a root shell, but it takes roughly an hour to execute.

He explained in a blog post that exploitation takes some time because the process triggering the vulnerability needs to run for long enough to overflow a reference counter.

Horn reported his findings to Linux kernel developers on September 12 and a patch was created two days later. “This is exceptionally fast, compared to the fix times of other software vendors,” the expert said.

The issue was disclosed on the oss-security mailing list on September 18, and the patch was rolled out the next day, when it was backported to upstream stable kernel versions 4.18.9, 4.14.71, 4.9.128 and 4.4.157.

The researcher noted that once the patch lands in the upstream kernel, which in this case was September 14, the bug becomes public knowledge – the security impact is obfuscated, but it’s not difficult for experts to figure out. At this point, malicious actors can already create an exploit for it, but Linux distributions need to backport the fix before it can be provided to users.

Advertisement. Scroll to continue reading.

Horn pointed out, however, that the developers of Linux distributions don’t publish kernel updates very often, leaving users exposed to potential attacks.

“For example, Debian stable ships a kernel based on 4.9, but as of 2018-09-26, this kernel was last updated 2018-08-21. Similarly, Ubuntu 16.04 ships a kernel that was last updated 2018-08-27. Android only ships security updates once a month. Therefore, when a security-critical fix is available in an upstream stable kernel, it can still take weeks before the fix is actually available to users – especially if the security impact is not announced publicly,” Horn explained.

The researcher singled out Debian and Ubuntu developers for not making a patch available to users more than a week after public disclosure of the vulnerability.

“The fix timeline shows that the kernel’s approach to handling severe security bugs is very efficient at quickly landing fixes in the git master tree, but leaves a window of exposure between the time an upstream fix is published and the time the fix actually becomes available to users – and this time window is sufficiently large that a kernel exploit could be written by an attacker in the meantime,” Horn said.

Related: Linux Kernel Vulnerability Affects Red Hat, CentOS, Debian

Related: ‘SegmentSmack’ Flaw in Linux Kernel Allows Remote DoS Attacks

Related: Privilege Escalation Bug Lurked in Linux Kernel for 8 Years

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.