[SCADASEC] Major Linux security hole found
Clint Bodungen
clint at cidgcorp.com
Tue Feb 12 12:29:54 CST 2008
Yet another vulnerability caused by a buffer overflow. Fortunately this one
is not a remote root exploit, which could give a hacker complete control
over the system from a remote system. The hacker must first have already
gained user access to the system, Which also means he is already on the
network where the system resides and other security measures have already
failed. Therefore, in order to minimize risk and exposure to this
vulnerability, tighten up your remote access security. Double check
firewall rules and access lists, disable unused accounts, make sure your
passwords are strong, etc., etc,. etc. Of course, be sure you check for
impact to other critical applications and systems before making any changes.
This one is not that big of a deal if you have done your due diligence on
your other security layers.
Clint
-----Original Message-----
From: scadasec-bounces at news.infracritical.com
[mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Bob
Radvanovsky
Sent: Tuesday, February 12, 2008 11:47 AM
To: scadasec at news.infracritical.com
Subject: [SCADASEC] Major Linux security hole found
URL: http://www.linux-watch.com/news/NS8844914464.html?kc=EWKNLLIN021208FEA1
Feb. 11, 2008
Security, the experts like to tell us, is a process, not a product.
With open source that can be a very good thing since when security problems
are found they can be fixed quickly. That's the case over this last weekend,
Feb. 9-10, when a security problem was found, and given a hot fix, n the
2.6.17 to the most recent production Linux kernel, 2.6.24.1.
The problem's exploit was first shown on the security site Milw0rm. The
specific trouble is with the kernel system call sys_vmsplice.
This system call moves data from a user space memory address range via a
pipe to another destination. Like its relations, splice, which reads and
writes data to/from the buffer and tee, which is commonly used to display a
program's output and sends it into a file, this is a data transfer system
call. It is primarily used in virtual memory management. Thus, in and of
itself, end-users will never directly encounter it.
However, thanks to the release of exploit code, a user with just a bit of
knowledge on how to compile his or her own program in Linux will be able to
exploit a server. The bug's effect is, in those versions of Linux using
these kernels with this system call compiled in, to enable ordinary users
with shell access to obtain root, superuser privileges. The security hole
has been demonstrated in Debian, Fedora and Ubuntu.
It can be safely expected that the problem is present in other Linuxes.
There is no perfect patch for the problem at this time. There is, however, a
hot fix, which prevents if from being exploited in at least some systems.
The Linux kernel developers are hard at work on coming up with a universal
fix for the problem. Once a permanent repair is available, the Linux
distributors are expected to release it as a security patch within hours.
In the meantime, system administrators can, if they feel the need, recompile
the kernel with the hot fix code. If not, system managers of multi-user
systems should keep a close eye on their user and root logs to spot any
unauthorized system-wide changes by hacker-minded users.
Steven J. Vaughan-Nichols
_______________________________________________
To unsubscribe from this mailing list, please visit:
http://news.infracritical.com/mailman/listinfo/scadasec
To review our privacy statement, please visit:
http://www.infracritical.com/privacy.html
scadasec at news.infracritical.com
http://news.infracritical.com/mailman/listinfo/scadasec
More information about the scadasec
mailing list