A high severity vulnerability that existed in the Linux kernel since version 3.16 through 4.18.8 was disclosed by a cybersecurity researcher with Google Project Zero. He has revealed the details and a proof-of-concept (PoC) exploit.
The kernel vulnerability dubbed as (CVE-2018-17182) is a cache invalidation bug in the Linux memory management subsystem that leads to use-after-free vulnerability, which if exploited, could allow an attacker to gain root privileges on the targeted system.
The use-after-free (UAF) vulnerabilities are a class of memory corruption bug that can be exploited by unprivileged users to corrupt or alter data in memory, enabling them to cause a denial of service or escalate privileges to gain administrative access on a system.
Linux Kernel Exploit Takes an Hour to Gain Root Access
The researcher is a white hat hacker Jann Horn, and he says that his PoC Linux kernel exploit which was made available to the public takes about an hour to run before popping a root shell.
Horn reported the vulnerability to Linux kernel maintainers on September 12, and the Linux team fixed the issue in his upstream kernel tree within just two days.
The Linux kernel vulnerability was disclosed on the oss-security mailing list on September 18 and was patched in the upstream-supported stable kernel versions 4.18.9, 4.14.71, 4.9.128, and 4.4.157 on the next day. Also, there is a fix in release 3.16.58.
Debian and Ubuntu Linux Left its Users Vulnerable for Over a Week
Horn noted that “However, a fix being in the upstream kernel does not automatically mean that users’ systems are actually patched.”
He was upset to know that some major Linux distributions, including Debian and Ubuntu, made their users open to potential attacks by not releasing kernel updates more than a week even after the vulnerability was made public.
As of Wednesday, both Debian stable and Ubuntu releases 16.04 and 18.04 had not patched the vulnerability.
The Fedora project however rolled out a security patch to its users on 22 September.
“Debian stable ships a kernel based on 4.9, but as of 2018-09-26, this kernel was last updated 2018-08-21. Similarly, Ubuntu 16.04 ships a kernel that was last updated 2018-08-27,” Horn noted.
“Android only ships security updates once a month. Therefore, when a security-critical fix is available in an upstream stable kernel, it can still take weeks before the fix is actually available to users—especially if the security impact is not announced publicly.”
In response to the Horn’s blog post, the maintainers of Ubuntu says the company would possibly release the patches for the Linux kernel flaw around October 1, 2018.