Feeds

Bug in latest Linux gives untrusted users root access

Protections for some, but not all

Build a business case: developing custom apps

A software developer has uncovered a bug in most versions of Linux that could allow untrusted users to gain complete control over the open-source operating system.

The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable. While attacks can be prevented by implementing a common feature known as mmap_min_addr, the RHEL distribution, short for Red Hat Enterprise Linux, doesn't properly implement that protection, Brad Spengler, who discovered the bug in mid October, told The Register.

What's more, many administrators are forced to disable the feature so their systems can run developer tools or desktop environments such as Wine.

The vulnerability was first reported by Spengler, a developer at grsecurity, a maker of applications that enhance the security of Linux. On October 22, he wrote a proof of concept attack for the local root exploit. Over the past few months, he has emerged as an outspoken critic of security practices followed by the team responsible for the Linux kernel.

"It's interesting to me that I picked it out two weeks before the people whose job it is to find this sort of stuff," he said Tuesday. "They've got entire teams of people and I'm just one person doing this in my free time."

In July, Spengler published a separate Linux exploit that drew considerable notice because it worked even when fully patched versions were running security enhancements. It targeted a separate null pointer dereference bug that was spawned when the OS was running SELinux, or Security-Enhanced Linux.

Spengler at the time criticized principal Linux developer Linus Torvalds for failing to take responsibility for the the critical issue, citing online comments in which he said: "That does not look like a kernel problem to me at all. He's running a setuid program that allows the user to specify its own modules. And then you people are surprised he gets local root?"

Spengler has also taken the Linux kernel developers to task for failing to fully disclose the extent of security bugs when they are patched.

The latest bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature. But to make RHEL compatible with a larger body of applications, that distribution is vulnerable to attack even when the OS shows the feature is enabled, Spengler said.

"They're putting their users at risk," he said. "They're basically the only distribution that's still vulnerable to this class of attack."

A Red Hat spokeswoman said patches for the versions 4 and 5 of RHEL and MRG are available here. An update for RHEL 3 is in testing and should be released soon.

He said many other Linux users are also vulnerable because they run older versions or are forced to turn off the feature to run certain types of applications. ®

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Know what Ferguson city needs right now? It's not Anonymous doxing random people
U-turn on vow to identify killer cop after fingering wrong bloke
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.