A new Linux kernel flaw, similar to the one that allowed hackers to penetrate key open-source development servers last year, has recently been discovered in Linux kernel 2.4.
The flaw is serious, because it can allow any user to run arbitrary code on a vulnerable system. The problem results from a flaw in the implementation of the do_mremap system call that manages virtual memory. The discoverer, Paul Starzetz of iSEC Security Research, says he knows the vulnerability exists in Linux kernel versions through 2.4.23 but warns that it may also affect the new 2.6 kernel. The original report was made on BugTraq.
Another Linux kernel threat involves a problem with the real-time clock routine, which may allow kernel data to leak and become visible to local users.
The Linux community is currently in a bit of turmoil because some folks want to push users into adopting the 2.6 kernel, while others feel it isn't ready for general deployment. Release 2.6 is designed to be more attractive to larger corporate users, specifically by better supporting servers with larger numbers of processors.
Applicability
This mremap flaw is found in all Linux kernel versions through 2.4.23 and possibly also the new 2.6 kernel.
Risk level: Critical
No elevated privilege is required to initiate the attack on do_mremap because any process can initiate the mremap call. A successful exploit of this vulnerability (several of which are already known) allows an attacker to run arbitrary code on the system. The real-time clock vulnerability carries only moderate risk.
Mitigating factors
Starzetz stated that he is unaware of any workarounds for the do_mremap vulnerability. The only mitigating factor for the real-time clock vulnerability is that it can only be exploited locally.
Fix: Patch or update
A new version of the 2.4 Linux kernel (2.4.24) was released on Jan. 5 to address the do_mremap vulnerability. Red Hat, SuSE, Guardian Digital, Turbolinux, and other vendors have also released patches for do_mremap for their Linux distributions.
Red Hat, EnGarde, and Conectiva all issued fixes for the real-time clock vulnerability on Jan. 5. Other vendors may have released fixes by the time you read this.
Final word
Marcelo Tosatti, the team leader chosen by Linus Torvalds to maintain 2.4, has stated that 2.6 is mature enough to be used, that users should migrate from 2.4, and that he intends to "fix only critical/security problems" from 2.4.25 on. The first stable release of 2.6.0 was on Dec. 18, and some developers don't feel that it is quite ready for prime time. (Does this remind you of complaints about Windows updates?)
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2004 TechRepublic, Inc.
7%
3%
8-) Bit late, aren't you? Just come backl on holidays to report when it's all over?