Newly discovered Linux bug chews on Android
Since early 2013, a raft of Linux servers, machines running embedded Linux, and even some Android devices have been open to an attack that could allow an unprivileged user or application to execute code as a root user, according to a new report.
Security researchers at Perception Point have outed an issue that was originally introduced when Linux kernel version number 3.8 was released almost three full years ago. It has yet to be patched.
As is standard practice in such things, Perception Point privately reported the security flaw to the Linux kernel maintainers while also creating a proof-of-concept exploit that takes advantage of just what the flaw could expose users to.
Without getting too technical, the issue appears to revolve around Linux’s OS keyring. This allows the system to store things like certificates, encryption keys and other authentication items in an area that should be fenced off from other applications. Unfortunately, with Kernel 3.8 in play, that isn’t strictly the case. Perception Point’s proof of concept replaces a keyring object stored in memory with code that’s executed by the kernel, giving unprivileged apps access to data they should never be able to see.
While the security flaw is able to be patched, the problem faced by Android and embedded devices is similar in that neither are easily updated. Embedded devices may never be updated, for example, while Android’s reliance on carriers and hardware manufacturers to approve and issue updates can, and has, proven problematic when it comes to getting timely security fixes into the hands of Android users.
Thankfully, Google thinks that those using Android devices may not be as vulnerable as first suggested. The company took to Google+ to defend itself, reporting that none of its Nexus devices are at risk due to this security flaw.
Google also said all devices running Android version 5.0 and above are safe, as the “Android SELinux policy prevents 3rd party applications from reaching the affected code.” Furthermore, many devices running Android 4.4 and earlier should also be safe since they are running a different version of the Linux Kernel than the one affected.
All that being said, Google has already published a security fix for the open-source community, with that same patch already in the hands of the company’s partners. When that patch will roll out to the handsets in users’ hands, however, is anyone’s guess.
- ViaArs Technica