Saturday, 11 March 2017

Linux: fix an existing bug for 11 years in the Kernel

The developer  Andrey Konovalov Linux  has released a fix for an old, very old indeed, bug present in the Linux Kernel from 11 years. 
The security hole is in the holder for Datagram Congestion Control Protocol (DCCP)  introduced in 2005.
The error can be exploited by malicious software in the weakest devices, also to get root permissions when a user logs into their account. 
Once you reach the backdoor, the attacker could exploit this vulnerability to compromise the system. 
The programming gaffes, however, is in how the code  DCCP  operates a  socket buffer (skb) .

How the bugs in the Linux Kernel?

According to the announcement made via mailing list by  Konovalov , a skb for DCCP_PKT_REQUEST packet you can be forced through __kfree_skb in dccp_rcv_state_process if dccp_v6_conn_request successfully returns. 
An attacker can then gain access and check that the subject should be and even rewrite the content with arbitrary data. 
If the object were to have any function that is activated, the attacker can execute arbitrary code in the Kernel. 
Konovalov says that an attacker could control what the object should be and overwrite its content with arbitrary data using one of the kernel heap spraying techniques.

Basic bug can save sbk address and its reference counter and exploit the use-after-free method. 
The fix was released  to the community of  Linux in order to reduce the instances of default  DCCP .
Are particularly recommended an update to your system, the instant your distro will receive the patch. In the meantime, you can remove the media DCCP  bugged by your kernel, to avoid its impact on the security of your system.

No comments:

Post a Comment