2

I recently found out that there are several vulnerabilities in the linux kernel that allow for privilege escalation, that have not been patched yet in the major distributions, and have public exploits on the usual sources. For example, I could get root on any of my completely up to date Ubuntu 10.04 systems using this very simple exploit.

This kind of worries me. Two questions arise:

  • Why has the linux kernel not been patched for an exploit that has been around for 2 weeks? This sounds like a very dangerous situation to me.

  • Is there a safe way to give someone a guest account on my machine, given this situation? Or should I assume a guest account is more of a symbolic security, and only give accounts to people that I really trust.

Sam
  • 7,252
  • 16
  • 46
  • 65
Jeroen Ooms
  • 31,998
  • 35
  • 134
  • 207
  • 4
    better suited to serverfault.com – KevinDTimm Sep 30 '10 at 20:08
  • Based on the Ubuntu package search, Lucid is several kernel versions behind (2.6.32). Are you sure that you have the most recent kernel (the latest stable in the source tree is 2.6.35.7: http://kernel.org). The vulnerability might already be patched in the mainline kernel. – eldarerathis Sep 30 '10 at 20:10
  • @eldarerathis nope its still 0-day. – rook Oct 01 '10 at 03:01
  • @Rook: Ah, bummer. Good to know, and thanks for the info (since I didn't have time today to scan the recent changelogs myself) – eldarerathis Oct 01 '10 at 03:20
  • @eldarerathis Actually there is a patch, however its not in the mainline because it needs to be tested. – rook Oct 01 '10 at 03:50
  • Fix out since September 17th for ubuntu, I guess you have a problem with your updates – shodanex Oct 01 '10 at 08:08
  • For future reference, unix.stackexchange.com (unix & linux SE site) –  Oct 01 '10 at 10:14

3 Answers3

1

Most of the more—for lack of a better word—hardcore distros like Gentoo and Slackware have been patched for a week or so. Also, certain configurations were not vulnerable at all, and others were technically vulnerable, but not with the published exploits.

For the ultra-paranoid, here are some things you can do:

  • Patch your own kernel straight from the git branch. This is something that is fairly difficult to figure out the first time, but actually pretty easy to maintain once it is set up. Your distro of choice probably maintains their own public git branches for their kernels, which most likely merged in the published fix branch close to two weeks ago for testing. Even if they are waiting for it to go into the official upstream release, git makes it super easy to merge branches from many different sources, so you don't have to wait yourself.
  • Configure your kernel for the bare minimum of features you actually need. It is my understanding that this vulnerability isn't a problem if certain options needed for virtualization are turned off. By contrast, stock distro kernels enable everything to be able to cater to everyone. Also, the published exploit relies on the kernel symbol table being available in /proc/kallsyms. This option can be turned off and there's no reason most everyone would ever need it.
  • Use mandatory access control to give your guest users and internet-exposed apps the bare minimum privileges necessary.

The downside of all that precaution is that you're more likely to break your system, which is why most user-oriented distros take their time with testing.

Karl Bielefeldt
  • 47,314
  • 10
  • 60
  • 94
0

Actually a patch was written on September 14th and can be found here and here. However this patch has not been merged over to the mainline. Kernel programming is very difficult. A patch can break compatibility or cause the system to behave incorrectly. Microsoft usually takes 1 month to write a patch for anything, even notepad.

Often times an attacker can compromise a user-level process such as one of your Daemons (unrealircd or sendmail). Or even more likely a web application like Wordpress or PHP-Nuke. At this point the attacker has a user account and can obtain root if he needs it. So privilege escalation exploit like this is often used in a chain with other exploits.

On a more concerning note Toravolds is notorious for silent patches. This is also a pastime that Microsoft enjoys.

rook
  • 66,304
  • 38
  • 162
  • 239
0

According to lwn.net :

For the more community-oriented distributions (Debian, Fedora, openSUSE, Ubuntu, and others), the response has been somewhat mixed. Ubuntu, Debian, and Fedora had fixes out on September 17 for both bugs (or, in the case of Debian, just one, as its stable distribution ("Lenny") is based on 2.6.26 and thus not vulnerable CVE-2010-3301). openSUSE has yet to release a fix and none of the secondary distributions that we track (Gentoo, Mandriva, Slackware, etc.) has put out a fix either.

So if your ubuntu is really up-to-date, it shouldhave been safe quite early. Plus I remember seeing the update relatively soon after the bug was announced.

So either the fix is incorrect, or your system are not updated correctly, and have not been for something like two weeks. Kernel updates need a reboot of your system.

Where is the programming question, by the way ?

shodanex
  • 14,975
  • 11
  • 57
  • 91