“Most serious” Linux privilege-escalation bug ever is under active exploit (updated)

“Most serious” Linux privilege-escalation bug ever is under active exploit (updated)

-- Tom

 

9 years. That says it all. The many-eyes argument doesn't hold up.

 

Because a few bugs escaped the human eye. Oh yeah, that disproves the "many eye balls" argument, for sure
It's like saying "No, most people don't sleep 8 hours on average, because I know a few friends that sleep 3, 5, and 12 hours".

EDIT: As clearly you didn't look at the comments on that link, Linus himself explained that he found the bug 9 years ago, the fix was pushed, but it had to be undone.

So yeah, the many eye balls argument still stands. Specially considering Linux only has 2 serious vulnerabilities in 12 years.

 

Not serious because attacks against UNIX are few and between.

There are lots of other things demanding attention.

 

Linux is not Unix, i.e. they are two different beasts, and definitely not the same - similar, but not identical.

-- Tom

 

No software is perfect. Ive been railing in other communities against people who say things like "Linux is immune to exploit" and other such foolish nonsense for a long time. That said, what is the alternative?

If you think your closed code Windows 7 is any better, you are sorely mistaken. Basically, if Microsoft developers dont see the exploit, noone will know until someone exploits it repeatedly and it becomes a problem. Windows has been pwned many many many times over; even if you account for per-capita usage, Windows is much more commonly pwned. Linux has more bug reports... because more people can see the code.

Rest assured state actors have a "toolkit" of exploits for any platform in existence. If you want any meaningful protection you need layers like grsecurity/MAC/sandbox and you need a system with a very small footprint.

If you need absolute security, move into a cave and never leave it.

**EDIT** This doesnt even take into account that Windows itself now acts like malware- it serves the interests of others as much as it does its users (especially Windows 10). You cant trust a single thing it does, because you cant see the code that shows what it does. It could be collecting insane amounts of information and youd never know. All you can do is trust Microsoft (no thanks).

**EDIT 2**

So in essence, youd need local access to a logged in computer where you had access to a shell (such as bash). Alternatively, you would need to hit a vulnerability in a web browser or web-facing application where you could upload a file and execute it. Any decent AppArmor profile will entirely prevent this exploit. Most directories couldnt be accessed anyways, and even if they could AppArmor wouldnt allow execution within that directory unless you specifically added that capability in its profile for the application. Anyone setting up AppArmor knows that allowing execution should be done on the specific executable (/usr/lib/firefox/firefox for example) to avoid this very type of exploit.

The install that I'm writing this from is immune to this particular exploit, and I didnt even know it existed. Its also been immune to every Linux Ransomware variant I've found info on for the very same reason. This is not fanboyism, this is fact. You simply cant prevent Windows from getting pwned no matter what you do.

 

Local access - not relevant or important for home users.
Mrk

 

@Anonfame1: Good post

FWIW, Red Hat - based distros and Fedora were not vulnerable for those exploits as SELinux restricts write oprations to /proc/self/mem.

 

A well balanced post, thank you. I am not surprised that bugs are found in Linux, but I'm surprised a) it wasn't discovered for almost a decade, b) and if I got it right there was a bug report but nobody bothered to address or it was forgotten for some reason. That's sloppy.

I agree that the alternative perhaps isn't so much better, but at least there are tools, easily managable by anyone who's able to click and install.
With Linux you must know your system in order to make it secure. With Windows I think it's more straight foward.
Try configure grsecurity, snort etc in Linux and compare it to an EMET installation for instance. Day and night difference.

 

I disagree. First of all, Linux is more secure than Windows out of the box for various reasons. Secondly - which Linux desktop user needs snort? Regarding grsecurity: You only want it as a desktop user if you're paranoid. On the other hand, on many distros AppArmor or SELinux are installed by default - something which isn't available in Windows at all, IMHO. Finally, there is Firejail: Its installation and configuration is a breeze.

 

I think, with Vista-W7 the security has improved considerably. Perhaps not on par with Linux out of the box but to me the unix concept has been embraced by Microsoft.
On the other hand it's easier to get lazy with a Linux system because many users assume their system is more or less bulletproof which in many I think simply isn't true. I think you have to be pro-active to secure a system be it Linux, Windows or any other OS of choice.

We're paranoid users. Otherwise we'd not hang around at Wilders. ^^

It's been a while since I used Linux. Perhaps there's a security oriented LTS distro out there with grsecurity, SELinux and apparmor activated by default?

 

Good to know as well...

It was sloppy, but things happen. Microsoft has quite a few of its own security blunders- far more than the Linux kernel team itself has. Most vulnerabilities that occur in the Linux sphere occur in software within the ecosystem but outside the kernel.

Linux also has another security advantage. I dont think its formally acknowledged, but I like to think of it as "security by complication." There are so many different distros with so many different software versions, so many different security strategies and with so many variances in setup overall that it is very difficult to write something that will have any significant success over all Linux instances. This is also what makes writing games etc more difficult and it makes entering the Linux world more intimidating, but it also has the benefit of fending off potential threats.

Linux encourages users to know their system- that is a primary and fundamental difference between Linux (or really most UNIX based systems) and Windows. Microsoft's entire approach is to hide the OS from the user to make it more simple and more secure, while Linux has always been about showing the OS to the user to make it more simple and more secure. Traditionally, Linux has been more intimidating up front while being easier to understand in the long run, and for this very approach. However as technologies have evolved, Linux distros like Mint, K/X/Ubuntu, and Fedora have shifted the burden of knowledge onto the distro providers themselves. Yeah, I use Arch and that is certainly not new-person friendly, but I'm fine with that because I've been a Linux head for awhile now.

Further, setting up "grsecurity" isnt difficult- its literally either choosing a distro that uses it already, or simply installing a kernel and pax agent yourself. On Arch that is literally: pacman -S linux-grsec paxd. On other distros it maybe a little more difficult, but that depends. Debian has a grsecurity kernel easily available now for example. Fedora and Ubuntu? Not so much atm...

I dont use Snort, and sitting behind a firewalled router I dont really see a need. Regardless, Windows intrusion detection is full of its own problems- most easy options are way too eager to inform of an "intrusion" as sort of a way to justify their expense and effort.

Security on Windows is sort of like having a massive dam with thousands or tens of thousands of holes- new technologies plug a few, while age makes a few more. Further, you cant see the dam because the government has decided its Top Secret, and so only a small group of people can spot holes or try to fix them. The Linux approach is to consider the building technique of the dam to limit the holes, and then shine spotlights on it and invite anyone to come and find any holes. This is a wild example of course...

Unix variants are built on the Discretionary Access Control (DAC) model- each program is given the rights to the filesystem in accordance with the rights of the user who launched the program. Windows UAC and other crap is a shallow shell of a copy in comparison. Windows needs to rebuild from its core with some form of access control (that cant be easily defeated or tricked), but cant as it would break backwards compatibility with existing Windows software. Unix further has Mandatory Access Control (MAC) options which is where filesystem access is granted based on what rights an application is given according to a policy file- one specifically setup by the system administrator. This is what AppArmor/RBAC/SELinux/Tomoyo is. Its actually more complicated than this- they can limit access to syscalls and memory regions etc depending on how they are utilized- but you get the general point.

I do agree it is easy to get lazy with a Linux system. It has such a good track record that people feel invulnerable and dont seek to harden their setups. I obviously (running grsecurity/pax/apparmor/firewall/etc) feel this is a risky approach, but to each their own. It IS more bulletproof than Windows- no question and even bone stock- but it only takes one bullet to kill you. Thats the approach I take- try to use as many layers of defense as possible, so long as they arent redundant or dont increase attack surface.

 

I'm surprised you either didn't read my post or didn't research this bug at all. These are the only explanations to not seeing that it was discovered 9 years ago, had a patch pushed, but had to be reversed.

See above.

Sloppy is when someone doesn't research before posting

The security difference between these two (GRSec and EMET) are also night and day.

I can easily remember a recent event where Microsoft leaked the golden keys to secure boot or UEFI (or related).

I don't think Microsoft has ever had the real intention to improving Windows' design to make it more secure. The OS design has been practically the same since what, Windows 95? They did improve quite a lot with Vista, and that happened by somewhat following the Unix/Linux way of preventing priviledge escalation. It's a nice tool to prevent system-wide infections (although I can be bypassed sometimes).

Although not a bad one.

The OSS approach is kinda like having your security system open to everybody in the world. This makes it possible for any "white hat" researcher to come, analize it's efficiency, and plug the holes. The good thing is that there are far more good "hackers" than bad ones, and so it is difficult for a "black hat hacker" (or any malicious organization for that matter) to find something that the good guys haven't already found.

Not to mention the freedom to copy this system, change it the way the user wants, etc. This is not possible on Windows, not without a serious lawsuit afterwards (for most people).

Which is one of the reasons Windows is a dead project for the future, I think even Microsoft has realized that. No option to change filesystems (still stuck with that crap NTFS), no easy option to use a custom open Kernel, sales going down every year, still a very poor security model (although improved a lot since XP), etc. I even recall some serious talk on Phoronix about Microsoft switching to the Linux Kernel, because an in-house Kernel is so expensive to produce and maintain.

@Anonfame1 your posts are always a please to read, very detailed and always educational.

 

How is that (the bold sentence) any better?
2 serious vulnerabilities in 12 years : I think you must be referring to OpenBsd?

 

1. Many diffrent software versions argument : Ok, you have a point but in general I don't think security by obscurity is a real security measure. I could use that argument with Windows unless you're specifically thinking of Gnome/KDE/XFCE specially.
And most distros update the software to the most updated versions sooner or later so I don't see the heftness of the argument.

2. Finding the right distro that has : a) immaculate security patching scheme (Mint didn't /doesn't, CentOS had issues for years etc), b) basic and necessary security set-ups out-of-the-box is probably not easy for someone who wants to try Linux or the first thing they are looking for because Linux users have been telling them for years that Linux is bulletproof. Separation of user land and kernel is way better in Linux but is that enough? I'm thinking of user-land malware that doesn't care if it doesn't gain system privilege all it wants is your personal stuff. AFAIK, here Linux out-of-the-box does not excel at all. You can execute anything you want in your /home directories.

3. I don't think NTFS' Access Control is that bad. It's underrated and pretty fine grained if you're willing to do some work. We don't have Apparmor/Selinux and now that's a pity.

 

Yeah. Few serious bugs that were there for years. Mind you, Mr. Torvalds thinks security oriented people are ********** monkeys. He doesn't care about security. To him, a bug is a bug.
The only saving grace is that Linux is posix like hence has some inherent security built-in derived from Unix like OS'es.

 

Please recommend a renowned LTS distro that applies security patches as they become available and has Pax/Grsecurity/SELinux activated out of the box and vast software repo e.g. Debian!
I love W7 but their new security quality roll-ups that pushes all or nothing to my system is making me consider abandoning W7 earlier than 2020.
No Archlinux please, too much work and no one-man-distro.

 

I'm not sure that was the point of it. It was to refute your argument that "it wasn't discovered" or that "nobody cared to adress it", which are both false claims.

No, the Linux Kernel.

And?

That's his right, though.

Yet another false claim you make. If you look at what grsecurity is doing to current stable Kernel, you'll see that the vast majority of the patches are integrated into linux-git very soon after grsec releases them. If Linus really didn't care about security, he wouldn't apply these patches upstream.

To test this, you can download the grsec testing patch, download linux-git, and then try to patch the git Kernel with it. Tell us the results, please.

Which is true. And in fact I agree with him on the stance of not marking security bugs as such, because it's easier for malicious people to exploit it before most users are patched.

As explained above, not really. And even if you look at, say, OpenBSD, you'll see it's not so secure. Sure, the CORE of the OS is secure, but 3rd-party programs (such as the KDE suit) never receive nearly as much code review as the base system.
Besides, I don't remember seeing any RBAC approach for OpenBSD.

I'm not aware of any LTS distro that has grsec, not by default. Debian Stable has grsec, but you have to enable the backports repo because, currently, grsec is only free on the testing patches, which are always changing and almost always on the latest kernel.

It's not hard to compile your own Kernel with grsec. The Wiki page "Re-compiling a Debian Kernel" has everything you need to know.

However, I'd recommend learning Arch and installing grsec there, because Debian's grsec can be very hard on you if you play games (even though kernel.pax.softmode=1 could be set, you'll still won't have a fully functional steam client).

See my github repo -> Arch -> Grsec. There you'll see how easy it is to install and use grsec on Arch (with the FOSS drivers, of course).

 

1. 2 serious vulnerabilities in 12 years - references please.

2. Linus has the right to say whatever he wants. But if security is taken seriously why was the patch pulled back? It broke exactly what? If it broke something, is it better to leave the system open to attacks? If security was taken seriously it's not enough to provide the framework for grsecurity et al. I suggest it's better to make it secure from the beginning by activating those features by default.

3. No, I don't agree. A security bug announcement will make people patch their computers. If it's an unknown bug you probably aren't as eager to patch it. It's like those recommended updates MS update keeps throwing at me - I don't install those. And obviously as a programmer you don't announce a zero day before you know how to patch it, that's not how it works.

4. I've tried Arch for couple of years, liked it but it broke too frequently. That's why I need a set and forget system.
I'll look further. Thanks for the tips though.

 

Security is worthless if it breaks functionality. The compatibility and sanity of hundreds of thousands of servers is more important than some random security vulnerability, especially if it's local. In big enterprises, application support and kernel drivers/functionality are infinitely more valuable. You don't play with the kernel just because someone feels paranoidal.

Mrk

 

Mrk is right.

Linux suffers from too many regressions and introducing another one won't improve it.

In real life, few exploits do any significant damage and no one writes malware for Linux.

There's no real money to be made in comparison to Windows.

 

.... my edit above

Arrh , thank you ! .... the voice of reason .

For " the average Joe " who is happily using GNU / Linux , there is nothing here to worry about .

 

Excuse me, but your assertion that "no one writes malware for Linux" is just not true. And why is that you muse? It is because Linux is the preferred server for websites around the world - and, it is not usually the Linux kernel software that is targeted, but other software that is vulnerable outside of the Linux kernel on the server that provides the gateway to the malware.

-- Tom

 

1. Correct me if im wrong, but isnt "security through obscurity" the method used by Microsoft with Windows? The biggest issue with most Windows installs is that the updating of applications is handled in whatever way a particular application chooses to update- often users are sitting on applications with security vulnerabilities because they havent updated them (fortunately there are utilities to address this). The model of a general Linux distro solves this by having the package manager check everything for updates, and thus apps are updated too. Im just saying- look at package versions between Debian Jessie and Arch- they are vastly different and makes writing malware that would work on both more difficult- NOT impossible. Im not really offering this as a security strategy but rather as something that often accidentally helps.

In terms of user-land malware, I tend to agree with you. This is the main reason I run AppArmor actually- to entirely prevent this sort of thing from happening. As I said above, the latest exploit found on Linux wouldnt work for me unless you had local access to an unlocked system- AppArmor would prevent it from succeeding over the net. As you later mention, Windows has nothing that can compete with the MAC options on Linux.

2. You have me here- this is a battle the security-minded folk have been fighting awhile now in Linux land- but things are changing. Arch has taken so many massive steps towards security (and just announced yet another) its truly impressive, and Debian has as well. To directly answer you, all I can say is that Debian can meet your goal with only the encumbrance of enabling another repo and using APT/synaptic to install the grsecurity kernel. At that point, it will do exactly what you want- you will have the Debian Security Team backporting security fixes constantly, grsecurity/pax, and you will have AppArmor available for setup. Arch comes close, but can be lax about patching especially when a new upstream version of a vulnerable package is due to be dropped with a fix soon after, and as well requires linux-grsec be recompiled for AppArmor support (unless you can pull of Tomoyo which never gave me much luck). I should note that Arch was very quick to fix the BASH bug (with a patch) and this latest one, so...

3. Perhaps not, but as you say without any userspace utilities to take advantage of its access control, its basically a moot point. I havent researched NTFS enough to be an authority on this matter, but I can say I hate the filesystem with a passion (every instance of data loss I've ever had has been due to NTFS- never any on a Linux FS whether ext3, xfs, jfs, ext4, or even BTRFS). Im sure its improved much since then...

I think the biggest most overarching data points to gather from this conversation is that- like anything human- both Linux and Windows have security issues to address. Linux has a better base, but has in the past been lax in attitude (now changing). Windows had a more proactive attitude, but an inferior product. Linux has much better tools available (namely the various MAC implementations, but also firejail which is like sandboxie on steroids), but needs to be better about proactively using them. At least at this point, Linux users have fairly easy options in this regard- Windows users are going to keep getting pwned because the base design (in terms of security) sucks.

I would remind again- my Arch install with grsecurity/pax/AppArmor/firejail/paxd/iptables doesnt give me any more trouble than a plain Arch install... other than having to recompile linux-grsec from ABS for AppArmor support. I say this only to point out how little of a time burden improved security can be nowadays in the Linux world..

 

But Debian and Arch are not used in enterprises, big companies or supercomputers.
Security is contrary to actual productivity, believe it or not.
Mrk