Critical Linux Kernel network vulnerability found affecting all systems since Linux 2.6

[Guest]

Summary:

Quote

Apparently an Huawei developer has found with KASAN, a dynamic memory error detector builtin in the linux kernel itself, and fixed, a very severe network vulnerability which is present in all linux systems that's been around since Linux 2.6 which was found only today.
the CVSS v3.0 Severity and Metrics gives it a score of 9.8 CRITICAL

It consists in a use-after-free vulnerability, was found in the networking subsystem's sockfs code and looks like it could lead to arbitrary code execution as a result.

Quote

In the Linux kernel through 4.20.10, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.

A fix is already released and will come to all Linux distributions in a couple of days, and will probably be backported to any supported linux kernel versions.

I don't know if this affects androids too... I hope not. Because that would not be that fun, but, if I scared you too much, I think this is bug can be exploitable only from the physical machine itself

Source code:
https://github.com/torvalds/linux/blob/master/crypto/af_alg.c  this is the code
https://github.com/torvalds/linux/commit/9060cb719e61b685ec0102574e10337fa5f445ea this is the fix

(It's funny because it requires like... 4 lines of code?)

Article Source:
https://nvd.nist.gov/vuln/detail/CVE-2019-8912

https://www.phoronix.com/scan.php?page=news_item&px=KASAN-CVE-2019-8912

Edited February 21, 2019 by Guest

[bcredeur97]

wow. Time to update some stuff at work, lol

[rcmaehl]

OH BOI

[Hellion]

And it's already been fixed and implemented smoothly.

 

Unlike windows 10 updates.

[Guest]

6 minutes ago, bcredeur97 said:

wow. Time to update some stuff at work, lol

4 minutes ago, rcmaehl said:

OH BOI

I think this is exploitable only from the physical machine itself... I didn't want this to become some clickbaiting cr*p

You can go to sleep peacefully today

 

 

Edited February 21, 2019 by Guest

[Curufinwe_wins]

2 minutes ago, Lukyp said:

I think this is exploitable only from the physical machine itself... I didn't want this to become some clickbaiting cr*p

You can go to sleep peacefully today

 

 

Yes, physical machine exploits should not be particularly concerning for the average person, but those are still serious liabilities and problems to make sure are fixed in corporate and government systems.

[rcmaehl]

@Lukyp It help put it in perspective for normal non-linux users and those too lazy. It'd be a good idea to note that Linux Kernel 2.6 came out in Dec 2003. So all linux releases since Dec 2003 are affected.

[suicidalfranco]

time to run the good ol "sudo apt update && sudo apt upgrade" or just type "system-update" as i have set it up in my bashrc file

[Bananasplit_00]

Just gona do the casual press the newest kernel and restart once I get home and be done with this one

[WereCatf]

This is why you always set a pointer to NULL after releasing it.

[Linus_torvalds]

10 hours ago, Lukyp said:

(It's funny because it requires like... 4 lines of code?)

Do not forget that on mac os it required BLANK password to enter the machine as root user LOL

 

This kind of bugs that need physical interaction with the machine is less harmfull, because if an attacker/hacker already has your machine there well your screwed. Not that mac os bug. That's exceptional LOL Some programmer was VERY lazy checking password.

[Stefan Payne]

Right now they find a ton of "old" security attacks...

[Guest]

28 minutes ago, Stefan Payne said:

Right now they find a ton of "old" security attacks...

I'm more worried about what we do not know until now, and how much of those kind of vulnerabilities are used from security agencies

[WkdPaul]

* thread cleaned *

[Stefan Payne]

Just now, Lukyp said:

I'm more worried about what we do not know until now, and how much of those kind of vulnerabilities are used from security agencies

Yeah, that is a possibility as well, sadly.

 

But we will see more of this stuff because the infrastructure (=OS and so) is based on really old code. And we need to burn it all down and start fresh with what we know today and make a better product.

 

Problem is that might be incompatible with old Software and thus a hard sell, sadly.

[colonel_mortis]

13 hours ago, Lukyp said:

I scared you too much, I think this is bug can be exploitable only from the physical machine itself

According to the NIST vulnerability report, it only requires network access - by clicking the 9.8 Critical part, it takes you to an explanation of the vulnerability categories, https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-8912&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

 

Kernel 4.20.10 is the latest version available for me on Fedora, though 4.20.11 (containing this fix) is in testing at the moment.

 

The vulnerability was found using an address sanitiser, so I'm not sure it anyone has actually managed to make it exploitable, or whether it's just a potential issue. In the Fedora tracker, it's marked as severity medium, so there are worse bugs around.

[Guest]

6 hours ago, suicidalfranco said:

time to run the good ol "sudo apt update && sudo apt upgrade" or just type "system-update" as i have set it up in my bashrc file

So basically worse than windows automatic updates xD?
 

5 minutes ago, colonel_mortis said:

According to the NIST vulnerability report, it only requires network access - by clicking the 9.8 Critical part, it takes you to an explanation of the vulnerability categories, https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-8912&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

 

Kernel 4.20.10 is the latest version available for me on Fedora, though 4.20.11 (containing this fix) is in testing at the moment.

 

The vulnerability was found using an address sanitiser, so I'm not sure it anyone has actually managed to make it exploitable, or whether it's just a potential issue. In the Fedora tracker, it's marked as severity medium, so there are worse bugs around.

I do not know how CVSSv3 gives it a score of 9.8/10-critical though, the v2 7.5-high

And since it's an upstream bug Fedora may give it medium importance since it was not reported before, but it's rather a system update request, but idk honestly, what do they say in it?

Btw I'm just glad they fixed it immediately

[jagdtigger]

20 minutes ago, Lukyp said:

So basically worse than windows automatic updates xD?

Nope(go over to the linux section if you want to know more why), there is a gui for it but some members like to throw around the CLI method instead .

Edited February 21, 2019 by jagdtigger

[yian88]

Thats why we need open source found and fixed and kernel being released, since 1 small code change there is no need for heavy testing this should be rolled out to all LTS and latest kernel.

Thats why i like distro's like arch and manjaro, you can easily install new kernel without breaking anything, unlike ubuntu and others that start having issues if you use the latest kernel and you dont benefit from ubuntu patches from the standard kernel.

[suicidalfranco]

9 hours ago, Lukyp said:

So basically worse than windows automatic updates ?


No. I could raise my hand over the mouse, drag it to the top left corner, click the dash icon, search for software update, click on it, and let it do it's thing

But i prefer simply typing ctrl+alt+t, sys, tab, enter