For almost three years, millions of servers and smaller devices running Linux have been vulnerable to attacks that allow an unprivileged app or user to gain nearly unfettered root access. Major Linux distributors are expected to fix the privilege escalation bug this week, but the difficulty of releasing updates for Android handsets and embedded devices means many people may remain susceptible for months or years.
The flaw, which was introduced into the Linux kernel in version 3.8 released in early 2013, resides in the OS keyring. The facility allows apps to store encryption keys, authentication tokens, and other sensitive security data inside the kernel while remaining in a form that can’t be accessed by other apps. According to a blog post published Tuesday, researchers from security firm Perception Point discovered and privately reported the bug to Linux kernel maintainers. To demonstrate the risk the bug posed, the researchers also developed a proof-of-concept exploit that replaces a keyring object stored in memory with code that’s executed by the kernel.
The Perception Point Research team has identified a 0-day local privilege escalation vulnerability in the Linux kernel. While the vulnerability has existed since 2012, our team discovered the vulnerability only recently, disclosed the details to the Kernel security team, and later developed a proof-of-concept exploit. As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets). While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible.
CVE-2016-0728 is caused by a reference leak in the keyrings facility.
Quoting directly from its manpage, the keyrings facility is primarily a way for drivers to retain or cache security data, authentication keys, encryption keys and other data in the kernel.
Exploiting the Bug
Even though the bug itself can directly cause a memory leak, it has far more serious consequences.
If a process causes the kernel to leak 0×100000000 references to the same object, it can later cause the kernel to think the object is no longer referenced and consequently free the object. If the same process holds another legitimate reference and uses it after the kernel freed the object, it will cause the kernel to reference deallocated, or a reallocated memory. This way, we can achieve a use-after-free, by using the exact same bug from before.
There are a couple of ways to get the keyring object freed while holding a reference to it.
Mitigations & Conclusions
The vulnerability affects any Linux Kernel version 3.8 and higher. SMEP & SMAP will make it difficult to exploit as well as SELinux on android devices. Maybe we’ll talk about tricks to bypass those mitigation in upcoming blogs, anyway the most important thing for now is to patch it as soon as you can.
Statement
This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5, 6. This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux 7 and will be addressed in a future update.
Red Hat has been made aware of a vulnerability affecting the kernel that ships with Red Hat Enterprise Linux 7 kernel and derivatives. This vulnerability CVE-2016-0728 could allow for arbitrary code execution and a skilled attacker could use it to escalate their privileges. The attacker must be able to run custom code on the account, in the most common configuration this requires them to have a login and shell account on the target system.
This issue was introduced in commit 3a50597de8635cd05133bd12c95681c82fe7b878 , which was introduced in the kernel version 3.10. All Red Hat Enterprise Linux kernels after this to this point in time are affected at this time of writing.
How does this impact systems:
Users must have an account on the system, or be able to instruct the system to run code on their behalf. The attack is not immediate and may take some time to run, the system shows key usage counts climbing and then eventually wrapping to negative.
I believe my system may have been compromised due to this vulnerability, what should I do?
If you have run the diagnostic steps in this article, and your system still appears to be vulnerable, or you believe your system has been compromised, open a support case with Red Hat or contact Red Hat support by phone.
The Linux kernel has found a vulnerability that could allow command execution locally elevated käyttövaltuuksilla. We told last week, security company Perception Point from finding the wound.
Aperture applies to several of the latest versions of Linux distributions, and the older Android devices (operating system versions 4.4 and earlier), tells the Finnish Communications Regulatory Authority Kyberturvallisuuskeskus.
Found vulnerability associated with the core config_keys setting. Is occupied by a person who has a password system, that regulation can increase the use of powers to the administrator LEVELS.
Vulnerability exploitation requires significant computing resources, and for example, efficient desktop computer to exploitation takes about 30 minutes.
The vulnerability has been fixed in the latest versions of several Linux distributions, NCRC says. Vulnerability exploitation may also limit ottamalle example, SELinux plug-in blocking state.
Google: Linux vulnerability does not threaten Android
Perception Point called the security company reported last week, the Linux kernel zero day vulnerability that threatened all are based on the Linux kernel devices. Google is now convinced that the impact of Android smartphones, the threat is very small.
Vulnerability does not affect Nexus smartphones. If your smartphone has Android 5.0 or higher, the SELinux policy prevents third-party applications from accessing an affected code.
In addition, many of the older (4.4 or older Android versions) do not have the vulnerability found in Linux kernel 3.8 version.
Instead, on Linux laptops and servers, Google does not take a position. They vulnerability must be packed in a separate patch repair.
A few days ago, security firm Perception Point released the details of a zero-day exploit in the Linux kernel, which has sparked a wave of panic as the report indicated that millions of Android devices are vulnerable.
Although patching security problems is quite easy on most Linux distros, it’s a lot harder for Android users. PC users and server admins usually can update their systems with a few terminal commands or through a GUI software store.
The update process is different for Android devices. Android users have to wait for over-the-air updates from the manufacturer.
However, Google’s Android security lead Adrian Ludwig claims that the majority of Android devices are actually safe. Android 4.4 and earlier use older versions of the kernel that never contained the bug. And even after the bug was introduced into the kernel, most versions of Android don’t include the keyrings feature in the kernel. Finally, more recent versions of Android use SELinux, which blocks userspace programs from deploying a payload that can be executed using the exploit.
The “keyrings” exploit takes advantage of a bug inside the keyrings feature. In an ironic twist, keyrings is supposed to make Linux more secure. It’s used to cache security details, keys and certificates.
In short, a malicious process requests a new keyring for the session, and then it spams the kernel with requests for a keyring with an identical name. The code in the kernel recognizes that the keyring already exists and sends an error code.
The bug is that the internal “reference count” for the keyring is increased each time a request is sent.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
8 Comments
Tomi Engdahl says:
Linux bug imperils tens of millions of PCs, servers, and Android phones
Vulnerability allows restricted users and apps to gain unfettered root access.
http://arstechnica.com/security/2016/01/linux-bug-imperils-tens-of-millions-of-pcs-servers-and-android-phones/
For almost three years, millions of servers and smaller devices running Linux have been vulnerable to attacks that allow an unprivileged app or user to gain nearly unfettered root access. Major Linux distributors are expected to fix the privilege escalation bug this week, but the difficulty of releasing updates for Android handsets and embedded devices means many people may remain susceptible for months or years.
The flaw, which was introduced into the Linux kernel in version 3.8 released in early 2013, resides in the OS keyring. The facility allows apps to store encryption keys, authentication tokens, and other sensitive security data inside the kernel while remaining in a form that can’t be accessed by other apps. According to a blog post published Tuesday, researchers from security firm Perception Point discovered and privately reported the bug to Linux kernel maintainers. To demonstrate the risk the bug posed, the researchers also developed a proof-of-concept exploit that replaces a keyring object stored in memory with code that’s executed by the kernel.
Analysis and Exploitation of a Linux Kernel Vulnerability (CVE-2016-0728)
http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
The Perception Point Research team has identified a 0-day local privilege escalation vulnerability in the Linux kernel. While the vulnerability has existed since 2012, our team discovered the vulnerability only recently, disclosed the details to the Kernel security team, and later developed a proof-of-concept exploit. As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets). While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible.
CVE-2016-0728 is caused by a reference leak in the keyrings facility.
Quoting directly from its manpage, the keyrings facility is primarily a way for drivers to retain or cache security data, authentication keys, encryption keys and other data in the kernel.
Exploiting the Bug
Even though the bug itself can directly cause a memory leak, it has far more serious consequences.
If a process causes the kernel to leak 0×100000000 references to the same object, it can later cause the kernel to think the object is no longer referenced and consequently free the object. If the same process holds another legitimate reference and uses it after the kernel freed the object, it will cause the kernel to reference deallocated, or a reallocated memory. This way, we can achieve a use-after-free, by using the exact same bug from before.
There are a couple of ways to get the keyring object freed while holding a reference to it.
Mitigations & Conclusions
The vulnerability affects any Linux Kernel version 3.8 and higher. SMEP & SMAP will make it difficult to exploit as well as SELinux on android devices. Maybe we’ll talk about tricks to bypass those mitigation in upcoming blogs, anyway the most important thing for now is to patch it as soon as you can.
Tomi Engdahl says:
Red Hat CVE-2016-0728
https://access.redhat.com/security/cve/cve-2016-0728
Statement
This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5, 6. This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux 7 and will be addressed in a future update.
Tomi Engdahl says:
Use after free vulnerability in Linux kernel keychain management (CVE-2016-0728)
https://access.redhat.com/articles/2131021
Red Hat has been made aware of a vulnerability affecting the kernel that ships with Red Hat Enterprise Linux 7 kernel and derivatives. This vulnerability CVE-2016-0728 could allow for arbitrary code execution and a skilled attacker could use it to escalate their privileges. The attacker must be able to run custom code on the account, in the most common configuration this requires them to have a login and shell account on the target system.
This issue was introduced in commit 3a50597de8635cd05133bd12c95681c82fe7b878 , which was introduced in the kernel version 3.10. All Red Hat Enterprise Linux kernels after this to this point in time are affected at this time of writing.
How does this impact systems:
Users must have an account on the system, or be able to instruct the system to run code on their behalf. The attack is not immediate and may take some time to run, the system shows key usage counts climbing and then eventually wrapping to negative.
I believe my system may have been compromised due to this vulnerability, what should I do?
If you have run the diagnostic steps in this article, and your system still appears to be vulnerable, or you believe your system has been compromised, open a support case with Red Hat or contact Red Hat support by phone.
Tomi Engdahl says:
Bug 1297475 – (CVE-2016-0728) CVE-2016-0728 kernel: Possible use-after-free vulnerability in keyring facility
https://bugzilla.redhat.com/show_bug.cgi?id=1297475
It was reported that possible use-after-free vulnerability in keyring facility, possibly leading to local privilege escalation, was found.
Tomi Engdahl says:
CVE-2016-0728
https://security-tracker.debian.org/tracker/CVE-2016-0728
Vulnerable and fixed packages
Tomi Engdahl says:
The Linux kernel has found a vulnerability that could allow command execution locally elevated käyttövaltuuksilla. We told last week, security company Perception Point from finding the wound.
Aperture applies to several of the latest versions of Linux distributions, and the older Android devices (operating system versions 4.4 and earlier), tells the Finnish Communications Regulatory Authority Kyberturvallisuuskeskus.
Found vulnerability associated with the core config_keys setting. Is occupied by a person who has a password system, that regulation can increase the use of powers to the administrator LEVELS.
Vulnerability exploitation requires significant computing resources, and for example, efficient desktop computer to exploitation takes about 30 minutes.
The vulnerability has been fixed in the latest versions of several Linux distributions, NCRC says. Vulnerability exploitation may also limit ottamalle example, SELinux plug-in blocking state.
Source: http://www.tivi.fi/Kaikki_uutiset/linuxista-loydetyn-haavoittuvuuden-voi-tilkkia-6247908
Tomi Engdahl says:
Google: Linux vulnerability does not threaten Android
Perception Point called the security company reported last week, the Linux kernel zero day vulnerability that threatened all are based on the Linux kernel devices. Google is now convinced that the impact of Android smartphones, the threat is very small.
Vulnerability does not affect Nexus smartphones. If your smartphone has Android 5.0 or higher, the SELinux policy prevents third-party applications from accessing an affected code.
In addition, many of the older (4.4 or older Android versions) do not have the vulnerability found in Linux kernel 3.8 version.
Instead, on Linux laptops and servers, Google does not take a position. They vulnerability must be packed in a separate patch repair.
Source: http://etn.fi/index.php?option=com_content&view=article&id=3880:google-linux-haavoittuvuus-ei-uhkaa-androidia&catid=13&Itemid=101
Tomi Engdahl says:
Don’t Burn Your Android Yet
http://www.linuxjournal.com/content/dont-burn-your-android-yet
A few days ago, security firm Perception Point released the details of a zero-day exploit in the Linux kernel, which has sparked a wave of panic as the report indicated that millions of Android devices are vulnerable.
Although patching security problems is quite easy on most Linux distros, it’s a lot harder for Android users. PC users and server admins usually can update their systems with a few terminal commands or through a GUI software store.
The update process is different for Android devices. Android users have to wait for over-the-air updates from the manufacturer.
However, Google’s Android security lead Adrian Ludwig claims that the majority of Android devices are actually safe. Android 4.4 and earlier use older versions of the kernel that never contained the bug. And even after the bug was introduced into the kernel, most versions of Android don’t include the keyrings feature in the kernel. Finally, more recent versions of Android use SELinux, which blocks userspace programs from deploying a payload that can be executed using the exploit.
The “keyrings” exploit takes advantage of a bug inside the keyrings feature. In an ironic twist, keyrings is supposed to make Linux more secure. It’s used to cache security details, keys and certificates.
Perception Point has done a great job of documenting the bug and how it could be exploited. You can read the details at http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/.
In short, a malicious process requests a new keyring for the session, and then it spams the kernel with requests for a keyring with an identical name. The code in the kernel recognizes that the keyring already exists and sends an error code.
The bug is that the internal “reference count” for the keyring is increased each time a request is sent.