“Most serious” Linux privilege-escalation bug ever is under active exploit

[Frankie Pancakes]

A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible.

While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.

The article states "The underlying bug was patched this week by the maintainers of the official Linux kernel."
I install updates as they are indicated. Hope this patch was one of them.


http://arstechnica.com/security/2016...ctive-exploit/

[ThePythonicCow]

Here's what I understand this bug to be, from looking at it just now.

First, some background:

A "setuid" executable is an executable file that has its permission and ownership bits set so that, whenever it is executed, it runs with a different, perhaps higher, priviledge than the process that called it. For example the command that lets an ordinary user become root is just such an executable. When run, it executes with root permissions (because it's marked "setuid") and it is responsible for checking that the ordinary user who called it knows the password or whatever checks are necessary, and then giving that ordinary user root permissions for what they want to do.

Using ordinary "memory map (mmap)" calls, a non-priviledged process, running on a Linux system, can map a page of a "setuid" executable, so that it could modify a copy of that page. Ordinarily that would be harmless, as the modifications would only go to a private copy of that page, which would be useless and never part of the "setuid" executable.

Now, this bug:

But using this bug, if that non-priviledged process then releases that modified page in the right way and at almost the same time reattaches to it another way (the exploit in the wild used a facility called "ptrace" to do this), then the kernel could get confused, and after making the requested change to the page, then forget it was supposed to be working only on a copy of that page, and rather keep that modified page around as a valid part of the "setuid" executabble.

This lets a hacker, if they can run a process as a local user of even the lowest "guest" priviledge, then be able to run some code, in the hacked "setuid" executable, of their own choosing. As soon as the hacker gets that far, they can choose to have the code they inserted in the "setuid" executable give them full root priviledge, and they own your system.

The bug has been around "forever". Linus attempted a fix eleven years ago, but didn't realize that his fix didn't work for long, when another bug fix soon broke his fix for this bug.

This time Linus thinks that Phil Oester's fix is a proper fix.

Here's the LKML (Linux Kernel eMailing List) take message with the fix: https://lkml.org/lkml/2016/10/19/860

[Johnny]

Widespread flaw can be easily exploited to hijack PCs, servers, gizmos, phones

http://www.theregister.co.uk/2016/10...calation_hole/

I do not have an Android phone, so do not ask me how to fix it !

Johnny

[TargeT]

Posted by Johnny (here)

Widespread flaw can be easily exploited to hijack PCs, servers, gizmos, phones

http://www.theregister.co.uk/2016/10...calation_hole/

I do not have an Android phone, so do not ask me how to fix it !

Johnny

Just accept the updates that are pushed to it by your carrier and you'll be good.

[Harley]

Just accept the updates that are pushed to it by your carrier and you'll be good.

That's right. As long as you do this I wouldn't even be concerned about it because there really isn't much else you can do. I've always manually checked for updates usually a couple times a day, which only takes a few seconds. This allows me to pick up any updates as soon as they have been placed on their servers usually long before the Auto-Updater notifies me.

Interestingly, on the same day the article in the OP was published, Canonical - The company behind Ubuntu - announced this on the Ubuntu website:

---------------------------------------------------------

This new live kernel patching service can be used on any Ubuntu 16.04 LTS system (using the generic Linux 4.4 kernel) to minimise unplanned downtime and maintain the highest levels of security.

First a bit of background…

Since the release of the Linux 4.0 kernel about 18 months ago, users have been able to patch and update their kernel packages without rebooting. However, until now, no other Linux distribution has offered this feature for free to their users. That changes today with the release of the Canonical Livepatch Service:

* The Canonical Livepatch Service is available for free to all users up to 3 machines.

* If you want to enable the Canonical Livepatch Service on more than three machines, please purchase an Ubuntu Advantage support package from buy.ubuntu.com or get in touch.

Beyond securing your desktop, server, IoT device or virtual guest, the Canonical Livepatch Service is particularly useful in container environments since every container will share the same kernel.

“Kernel live patching enables runtime correction of critical security issues in your kernel without rebooting. It’s the best way to ensure that machines are safe at the kernel level, while guaranteeing uptime, especially for container hosts where a single machine may be running thousands of different workloads,” says Dustin Kirkland, Ubuntu Product and Strategy for Canonical.

---------------------------------------------------------

It's really easy to install. Go HERE or HERE for instructions.

Live kernal patches as they become available and no rebooting. Now you can't beat that!

[greybeard]

I use Linux Ubuntu 16.04 LTS and would recommend this OS to anyone.
All the software I would need is free--their Libre Office is great is excellent and comes with the basic system--that can be downloaded to other OS systems.

Ch