Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Project Zero Discloses New Linux Kernel Flaw

Google Project Zero this week disclosed the details and released a proof-of-concept (PoC) exploit for a potentially serious Linux kernel vulnerability.

Google Project Zero this week disclosed the details and released a proof-of-concept (PoC) exploit for a potentially serious Linux kernel vulnerability.

The flaw, tracked as CVE-2018-17182 and assigned a severity rating of “high,” was discovered by Google Project Zero’s Jann Horn. The security hole is a use-after-free introduced in August 2014 with the release of version 3.16 of the Linux kernel.

Use-after-free vulnerabilities can typically be exploited to corrupt data in memory, cause a process to crash (i.e. DoS attack), and execute arbitrary code or commands.

In the case of CVE-2018-17182, Horn says an attacker could run an arbitrary binary with root privileges. The PoC exploit made available by the researcher can help an attacker gain a root shell, but it takes roughly an hour to execute.

He explained in a blog post that exploitation takes some time because the process triggering the vulnerability needs to run for long enough to overflow a reference counter.

Horn reported his findings to Linux kernel developers on September 12 and a patch was created two days later. “This is exceptionally fast, compared to the fix times of other software vendors,” the expert said.

The issue was disclosed on the oss-security mailing list on September 18, and the patch was rolled out the next day, when it was backported to upstream stable kernel versions 4.18.9, 4.14.71, 4.9.128 and 4.4.157.

The researcher noted that once the patch lands in the upstream kernel, which in this case was September 14, the bug becomes public knowledge – the security impact is obfuscated, but it’s not difficult for experts to figure out. At this point, malicious actors can already create an exploit for it, but Linux distributions need to backport the fix before it can be provided to users.

Horn pointed out, however, that the developers of Linux distributions don’t publish kernel updates very often, leaving users exposed to potential attacks.

“For example, Debian stable ships a kernel based on 4.9, but as of 2018-09-26, this kernel was last updated 2018-08-21. Similarly, Ubuntu 16.04 ships a kernel that was last updated 2018-08-27. Android only ships security updates once a month. Therefore, when a security-critical fix is available in an upstream stable kernel, it can still take weeks before the fix is actually available to users – especially if the security impact is not announced publicly,” Horn explained.

The researcher singled out Debian and Ubuntu developers for not making a patch available to users more than a week after public disclosure of the vulnerability.

“The fix timeline shows that the kernel’s approach to handling severe security bugs is very efficient at quickly landing fixes in the git master tree, but leaves a window of exposure between the time an upstream fix is published and the time the fix actually becomes available to users – and this time window is sufficiently large that a kernel exploit could be written by an attacker in the meantime,” Horn said.

Related: Linux Kernel Vulnerability Affects Red Hat, CentOS, Debian

Related: ‘SegmentSmack’ Flaw in Linux Kernel Allows Remote DoS Attacks

Related: Privilege Escalation Bug Lurked in Linux Kernel for 8 Years

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.