Linux Security Bug Affecting Tens of Millions of PC and Android Users

by Istvan Fekete on January 20, 2016

data-security_2283310bThe Perception Point Research team has identified a zero-day local privilege escalation vulnerability in the Linux kernel which has been present since 2012, and which affects tens of millions of Linux PCs and servers, and 66% of all Android devices.

While major Linux distributors are expected to release a fix for the privilege escalation bug as early as this week, the difficulty of pushing out Android updates to smartphones could leave many users in limbo for months, maybe even years.

The flaw, which was introduced into the Linux kernel in version 3.8 released in early 2013, is the OS keyring. The facility allows apps to store encryption keys, authentication tokens, and other sensitive security data inside the kernel while remaining in a form that can’t be accessed by other apps.

In a blog post published on Tuesday, Perception Point researchers say they discovered the bug only recently, and that they have reported it privately to Linux kernel maintainers.

To demonstrate the risk of the uncovered security flaw, they also developed a proof-of-concept exploit that replaces a keyring object stored in memory with code that’s executed by the kernel.

This bug is alarming, because it can be exploited in various ways: On servers, people with local access can use it to achieve complete root access, while on smartphones running Android versions KitKat and later, it can allow malicious apps to break out of the normal security sandbox and gain control of underlying OS functions.

Did you like this post? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Istvan Fekete. www.digitcom.ca. Follow TheTelecomBlog.com by: RSS, Twitter, Facebook, or YouTube.

Previous post:

Next post: