[SCADASEC] Major Linux security hole found

Bob Radvanovsky rsradvan at unixworks.net
Tue Feb 12 11:47:00 CST 2008 

URL: http://www.linux-watch.com/news/NS8844914464.html?kc=EWKNLLIN021208FEA1

Feb. 11, 2008
Security, the experts like to tell us, is a process, not a product.

With open source that can be a very good thing since when security problems are found they can be fixed quickly. That's the case over this last weekend, Feb. 9-10, when a security problem was found, and given a hot fix, n the 2.6.17 to the most recent production Linux kernel, 2.6.24.1.

The problem's exploit was first shown on the security site Milw0rm. The specific trouble is with the kernel system call sys_vmsplice.

This system call moves data from a user space memory address range via a pipe to another destination. Like its relations, splice, which reads and writes data to/from the buffer and tee, which is commonly used to display a program's output and sends it into a file, this is a data transfer system call. It is primarily used in virtual memory management. Thus, in and of itself, end-users will never directly encounter it.

However, thanks to the release of exploit code, a user with just a bit of knowledge on how to compile his or her own program in Linux will be able to exploit a server. The bug's effect is, in those versions of Linux using these kernels with this system call compiled in, to enable ordinary users with shell access to obtain root, superuser privileges. The security hole has been demonstrated in Debian, Fedora and Ubuntu.

It can be safely expected that the problem is present in other Linuxes.

There is no perfect patch for the problem at this time. There is, however, a hot fix, which prevents if from being exploited in at least some systems. The Linux kernel developers are hard at work on coming up with a universal fix for the problem. Once a permanent repair is available, the Linux distributors are expected to release it as a security patch within hours.

In the meantime, system administrators can, if they feel the need, recompile the kernel with the hot fix code. If not, system managers of multi-user systems should keep a close eye on their user and root logs to spot any unauthorized system-wide changes by hacker-minded users.


Steven J. Vaughan-Nichols

More information about the scadasec mailing list