“Most serious” Linux privilege-escalation bug ever is under active exploit (updated)

Can I ask what angle youre coming at here? Do you mean that distros shouldnt focus on security at all, that there is a line, or what? I guess I understand what you mean in that security concessions require more time that could be spent towards productivity, but surely there is a line- corporate espionage, time lost due to damaged or compromised systems, etc.. At this point less time would have been spent securing the system in the first place rather than dealing with the carnage afterwards. I do understand the "line" of worth here is tenuous and oft-debated, and differing opinions are common.

In terms of Debian and Arch not being used in enterprises, big companies, or supercomputers, I believe that is true for Arch certainly. Debian? Obviously not supercomputers, but I would imagine it or its derivatives (Ubuntu specifically) are used in small business, probably some facets of big business, and even possibly enterprises. If not, I'll concede- I was personally thinking more about personal desktop usage myself.


I guess where Im coming from is that we should take every security approach possible that doesnt involve insane amounts of time to accomplish. I spend maybe 10 minutes a month beyond what I would on a system without any security consideration, and yet I have seen demonstrable success in terms of protection- all the ransomware and the latest kernel bug exploits would have failed solely on account of AppArmor. Surely this is worth the time I spent right?

Im not trying to argue with you btw- I know you have much clout around here and more experience than I do. At the same time, I do think security is important and so must bring this up for debate...

 

Mr Mrkvonic, I'm not surprised to read your comments. Security never ever bothered you.

 

Anonfame, thanks for your post. I enjoyed reading it. I wish I had more time to respond to your elaborate post but I don't. My posts in general lack the thorough explanations that yours have.
While I don't fully agree its content you do have many good arguments.

As for the distro recommendation, thank you.
Your post suggests Debian must be the easiest distro to manage ; I had a brief look at the very short Debian's grsecurity FAQ, do you have tips to a better in depth info? It says for example video drivers are more or less blocked, javascript is blocked - you need to unblock those to be able to use Firefox, Chrome... Is there a fancy grsecurity GUI or do I need to do typical Linux work?

Edit:
This is what I found. Looks cumbersome. :-D

https://micahflee.com/2016/01/debian-grsecurity/

I seem to be missing something; If you exempt software in grsecurity to avoid crashes then the software isn't protected. What is the point of grsecurity then?

 

@anon, my angle is that changes in the kernel affect everyone on ALL levels - home and office and enterprise. This is why kernel changes are so dangerous. Something trivial in the home environment may destroy a billion-dollar application or service in a big company somewhere. Security is fine, but the OS side is probably the smallest piece in the equation. Kernel changes in general are a big no in any large business.

@new2, I am not bothered about security, because I think the whole topics is way, way, way blown out of proportion. I believe it has its place and needs to be done smartly, efficiently, but not at the expense of everything else. Security in the digital world has become synonymous with the whole new world terrorism stuff, and everyone is immediately panicking and blindly yessiring security related ideas and topics. Fear mongering is the wrong way about it. Don't mistake my fear-less approach with a lack of care. Two different things. But I don't believe in the whole OMG, advisory, hax0rz, patch NOW! nonsense.

Mrk

 

Sorry, I don't have the reference. Please disregard what I said about it.

You need to understand the relation between usability and security. As Mrk correctly pointed out, there has to be a balance between both. A Kernel that doesn't work is a useless Kernel. All I can say is that it's sad that the fix had to be reverted.

Your comparison makes no sense.

First, for people to patch their computers there needs to be an upstream patch available. That happens once a CVE is reported. It may take a little while (which in "Linux time" is very quick if compared to most projects), but they do get patched. Linus then releases the patch, and all distro developers push them eventually. However, it can take a while before distros push the new Kernels, and many users actually decide not to update their Kernel in months. So if this security vulnerability is marked as such then malicious attackers certainly will try to exploit those people who haven't yet patched their Kernels.
By not marking the vulnerability as serious it will stay deeper under the radar, forcing malicious hackers to go through the thousands of patches released in order to try finding a remote vulnerability, and reducing the chances of it being exploited "in the wild" in the first place. By this policy, everyone should update their Kernels as soon as they come out because they know they get security fixes.

Second, Microsoft's recommended patches have the history of not having critical security fixes on them.

I'm not saying it can't happen, but I must advise you to look into what you've done with the system, because Arch is a rock-solid OS and breakages are, for the overwhelming majority of times, the user's fault.

 

I again have to strongly disagree with you, Norman.

There are tons of people who write malware for Linux.

And yes, the amount of money to be made from an attack on a Linux server is MUCH bigger than if you attack a Windows server. Don't believe me? Can you imagine if a cracker gained access to these servers (who run Linux BTW):

• Google
• Facebook
• Twitter
• A few Microsoft servers
• A ton of Skype servers
• US Submarine Force
• Government of Spain
• The Bank of China
• US Department of Defense
• French Parlament
• US federal reserve
• IBM
• Novell
• Panasonic
• Amazon
• Peugeot
• Wikipedia
• New York Coin House
• Cisco
• Many others

Do you have any idea how much money ANY of these companies would lose if their secrets got sold on the black market?

 

You're confusing, because Kernel changes inflict less damage than a serious vulnerability. Say Google is under attack and they need to use a new Kernel ASAP; do you think they'd care about losing 1 million USD in ad revenue (just because of the reboot) when the damage this non-patched Kernel may cause can be a lot more destructive?

I've never seen an LTS Kernel break just because a security patch was released. EVER.

 

I wonder if the millions of zombie computer owners had the same line of thinking.

 

@Anonfame1
@anon

 

1. I understand the relation between usability and security. That's why I asked why the patch was pulled back - what did it break?

2. Recommended patches by Microsoft - Yes I know they don't issue security patches via this channel. I think we're not on the same page when we discuss ...

3. I didn't do anything wrong with my Arch system. Finally systemd migration broke it even if I followed the tutorials.

 

amarildojr, Debian actually breaks the ABI between updates. And I'm not confusing anything. Imagine the ENTIRE Google estate not working anymore because something is broken in the kernel as opposed to a may-be breach. Serious vulnerabilities? Most of them are in the app space, not in the kernel.
Mrk

 

Can you give me a solid example?

The may-be-breach is much more likely to happen than "may-be-broken".

Exactly. And that's exactly why I don't think they'd mind changing Kernels once it happens.

 

Judging by Grsecurity's site, it looks like it is the answer to all exploits out there.
SELinux, apparmor etc don't even come close as they're not really doing much more than restricting access.

Those of you who have enabled grsecurity : how does your system behave with browsers, office suites, gimp etc?

Edit (added thoughts) :

At Insanibit's blog it is suggested that every time you apply a security patch to your kernel the grsecurity patch must be "re-installed" and recompiled and of course re-configered. Sounds tedious. I know security shouldn't be piece of cake but compiling your kernel every time there's a security patch and reconfigure grsecurity must be... tedious.
EMET on the other hand..

 

Mrkvonic - if security issues are way way blown out of proportions why is the malware industry making so much money, a billion dollar industry?
Where do you draw a line - do you secure your computer at all or do you think common sense makes up for all the security measures you do not have on your system?

 

Exactly, although you can use AppArmor with GRSec if you like it's MAC properties.

Browsers: all work fine, even Iceweasel from Parabola.
Office: Libreoffice works out of the box.
Gimp, Inkscape, Blender, etc: All work fine too.

Here's what I need to add to the exceptions: Steam (proprietary), Spectacle (KDE's screenshot utility). That's it. Spectacle for some reason wasn't added to the exceptions, although it's very easy to do so.
And Steam, I don't think Spender cares about proprietary software that much (and he's right). If the user wants to allow something to run, and this something can't have it's source code reviewed, that's up to the user to add this to the exceptions for the most part.

You can't run the proprietary AMD drivers with GRSecurity. There is a patch to make Catalyst build it's module,but the Kernel will just not boot (or if it does, you'll have to set kernel.pax.softmode=1). The FOSS drivers work just fine.
For some reason, Spender keeps updating the patch to make NVIDIA's driver (proprietary, the only one) to work with his patches. So if you have an NVIDIA card, you can run the proprietary drivers with grsec.

EMET on the other hand doesn't even come close to grsec's security. And every update is several months apart. And Microsoft compiles everything, because they're paid to do so by their customers.

However, I agree with you. It IS tedious to compile the Kernel. If you don't want to do that, there's Arch and Debian with grsec on the repos.

 

On the ABI front, read on Debian/Ubuntu - even the LTS does not promise the likes of SUSE and Red Hat kernel backward compatibility.

Why the malware business - why not. It's business like any other. That does not mean it's the one and only consideration for products. In fact, there are a million other things more important. First and foremost, seamless functionality. There's no point to a secure product that's useless. Inherently, it's like biological organisms. No good if they are dead. A flu here and there is perfectly fine.

Security is not about blindly patching holes - it is designing systems that are resilient to intrusions WHEN they happen. Not IF.

Mrk

 

People have too many other things to do be bothered with security paranoia nonsense.

You want to keep a reasonable balance between security and productivity and not lock down your computer to the point its unusable.

 

Thanks for the kind words.

Unfortunately for you, my main system is Arch and so I havent recently gone through a Debian/grsecurity setup. If I could be honest, I would say you should just stay on Windows. You seem to lean that way in your replies, and if we convince you to begrudgingly go the Linux Way again you will hate every minute of it. Im not saying this as an attack, so please dont take it that way.

Linux is an operating system with 2% of desktop market share. This WILL result in concessions (specifically in the commercial proprietary software ecosystem department). You will have a larger package base and will be able to do more things in certain areas (on Windows 10). Your platform will likely get the most focus or most features for every software that is cross-platform. You will have to accept that you have NO provable privacy in Windows 10, and that your OS is now conspiring to share your personal thoughts (reflected as media you create, searches you make, music you listen to, movies you watch, applications you use, etc etc) with Microsoft and third-parties for the sake of profit. You can "fight" Windows 10 with various tools, router blocklists, etc etc... but it is a fight you will keep having, a fight with ever-changing battlegrounds, a fight that you will likely always be taking casualties in (in the form of leaked information), and a fight you will likely ever-so-slowly lose.

I will not have that fight. I will have the fight of dealing with a more limited proprietary software ecosystem. I will have the fight of a smaller software base, of having to use the bludgeon of Wine to make certain applications work, and of shifting and sometimes even seemingly esoteric approaches to manipulating the operating system (the move from init to systemd [which I dont like], the integration and eventual near requirement of pulseaudio [which I actively despise], etc). While I will have these fights, I will have higher security from external threats (due to a better base model and more advanced security technologies), my OS will work for me aiming to protect my privacy rather than destroy it, and my OS will aim to show me and integrate me into the code it uses.

This is the primary fundamental difference between FOSS and modern commercial software. Modern commercial software is a victim of the times, and the times are selfish. You pick your fight. There is no right answer. I do wish we could have BOTH of the positives and NONE of the negatives by having FOSS the dominant option- but I dont think it will ever happen.

Finally and just to correct one misconception, setting a pax exception doesnt remove grsecurity protections. Grsecurity is primarily protection of the kernel. Pax is primarily responsible for protecting the memory stack of applications. If you set a pax exception for say- mprotect- on firefox, than firefox will not have mprotect via pax, but grsecurity provisions in the kernel are still present.

I see. In terms of what you said to @new2security, you bring up an interesting point. I agree with you really, though I think you and I have a different opinion on where that "line" is. As grsecurity/pax/apparmor doesnt cost me much time and doesnt cost me any usability, I consider it worthwhile. That is my line. Your line might be different.

Since I dont think the community will ever agree, I think we should put in place solid security precautions and leave the more extreme measures available for those who wish to employ them. There needs to be certain protections in place and more than has traditionally been in the past and thats because, well, Linux has started to become more a target in the desktop sphere. These ransomware variants and this latest kernel bug with exploits in the wild? I havent seen anything like this until recently. I do think therefore security strategies that are not over-zealous that address these threats reflexively (better than not at all) and try to prevent future malware/expoits of the same nature is a logical "line" to have. Do we agree here?

Yeah, plenty of people got bit by this transition. I got lucky and had no issues.

Still, I mean Windows 10 upgrades caused TONS of problems, so its not exactly fair to condemn Arch for something similar. And besides, Arch sort of assumes you are comfortable in such situations- it is NOT for those who panic when something breaks. Its target market sees breakage and responds by going "hmmm.. wonder why that happened... what does journalctl say... what does pacman say... what does google say.."

If you (or anyone else) doesnt happen to be one of these people, there is NOTHING wrong with that- everyone is different. Ive had breakages on Arch (not in the last few years though), and all of them were due to upstream problems. If this is something that seems crappy to you (totally your choice), tried and true Debian is the answer. Debian is as stable as a rock, and has a good track record when it comes to upgrading between releases with APT (though in that case you will need some knowledge- otherwise just backup and reinstall the new version).

I cannot speak for whether or not grsecurity would have protected me from the last exploit, but I can absolutely say AppArmor 100% would have. While its primary role is damage mitigation, it can and does at times act as a protection/prevention mechanism. AppArmor specifically happens to be one of the least powerful overall, but requires significantly less effort from its users. Its fantastic as a "help lockdown this one troublesome application' (e.g. web browser), but not as comprehensive as SELinux/RBAC/Tomoyo.

While recompiling may be tedious, you arent the one doing that- the distro distributor is. *I* sort of do this as I recompile linux-grsec every time a new version is released (though I could just keep tabs on exploits and only upgrade the kernel once a month or so if I wanted to do so), but thats my own preference.

I agree- there is a line for certain, but malware is a problem and security needs to be taken seriously to help deal with it.

Great post man Agree 100% and good info.

I apologize for this novel of a response. Ive never been very good at being concise try though as I may

Ill sit this thread out awhile and just be a fly on the wall

 

Thanks for the input. I'll keep it in mind.
I don't use Steam or play games.

Waiting hours for the compiling to complete isn't my idea of fun.
So it means if I use Arch or Debian's grsecurity patched kernel, the "only thing" I need to do after a kernel update is to re-configure grsecurity?
Why do you need to compile your kernel with grsecurity unless you use Gentoo?

 

Hi,

Yes you're correct - I like Windows (7) and I had no plans to migrate until 2020 or so. But with the recent bundled security "quality" rollups I'm having new ideas. I don't take it as an attack don't worry! ^^
I don't want telemetry and other crap in my system. Perhaps they were there from the beginning without us knowing but now it's becoming more and more obvious that MS decided that what W10 has, W7 must have it too. Almost like they're punishing W7 customers because they didn't upgrade to W10.

Sooner or later I have to migrate. Debian with Grsecurity, Firejail seems like a good alternative.

Archlinux and systemd migration : it wasn't only this that caused total havoc. I remember some time before the systemd implementation Arch wanted to reshuffle /usr/lib /usr/bin (or similar, can't remember) and consolidate those into one. That broke my system too. And yes, I followed the migration tutorial letter by letter.
Luckily I managed to rescue my system. But. It's not the breakage itself that concerns me, all systems are prone to breakage be it BSD, Linux, Unix, Windows, and Apple stuff... but why it breaks is a greater concern to me. A glitch in patching that result in a blue screen is one thing. But re-modeling the system just because it can be done without considering the vast consequences it could have for thousands of people is a different beast.
Systemd has been praised by many to be so much more talented than init and it has plentiful options and configuration possibilities. Sure, I get that it looks great on paper but why break a design that already works well and has done so for decades? Do we care the boot is 4,3 seconds faster on a 5400 rpm drive (a bad example but you get my idea when SSD is gaining popularity).
The sudden and uncalled for changes in software development without "any real good reason" (at least to me) is making me nervous and this is why I left Linux. Pulseaudio is another one that people still have issues with and so forth.
Instead of focusing on how to break things and replace it just to show that it can be done - which in the end means same wattage output from your speakers, I wish the devs could focus more on system stability, driver development.

So yes.. it's a love and hate relationship I have with Linux. Mostly love though. But with less time on my hands I don't think I can spend hours on a system and tinker with it just to make it work.
With Windows - Nowadays dito. It's just that W7 has worked perfectly for me for years without any breakage and it has served me very well and it makes me sad I have to abandon it.

Rant over.

Thanks for the input on Grsecurity! It's something I want to have on my future Linux system. Set-once and forget shouldn't be impossible.

 

.... my edit ^^

Thank you , once again !

This is starting to remind me of the empty rhetoric of the Cold War years ( endlessly spouted by idiots in positions of power ).

" Problem-Reaction-Solution "

The so-called "Problem" being assumed , but never proven .

@new2security

You have made some very intelligent points in your post ( especially with regard to systemd )

So don't !
Ignore the W7 updates from now on ; they are worthless , and have been for quite some time now .

So long as you make regular backups you can enjoy your Windows system way beyond 2020 -

 

Well if I'm not connected to the internet I could abandon the updates altogether. But I need internet access and like to have my system security patched thank you.

 

How slow is your processor? Takes 30 min for me on my crappy FX 6300. And if you configure your Kernel properly (disabling unneeded support) you can compile it in 10 or less minutes.

No, everything is automatically compiled. All you need to do to get the latest and greates is update your system with "pacman -Syu". That's it.

I don't need to, if I didn't want to. I only did it because I needed to patch the driver (radeon/amdgpu) because upstream introduced a bug for me in which my screen flickers at a certain resolution.

 

But you were using a distro that, IIRC, at the time had around 1% usage among Linux distros (which means 1% inside the 1%), that is targeted towards advanced users, and that relies on the users to fix things when they're broken, and that announced that the huge change was going to happen.

If I had been using Arch at the time, I'd at least do a backup, because I know things can break, specially with such huge change.

I've not yet seen so many people who got problems with the change, to be honest.

And if that's not something you want to expect (breakage with such a bleeding-edge distro), you're probably better on non-rolling-release distros (Debian did a nice and smooth change from 7 to .

And as I've mentioned, Arch is a very stable system, no breakages for me whatsoever with the latest of everything + the development branches of some other things. I've had less problems running Arch for +3 years than running Debian Testing for 2 weeks, Debian sid for 2 days, Debian Stable for 1 hour, or Ubuntu LTS for 10 minutes The thing will just not break. EVER.

 

I have an i5 4690k @4,3 ghz. Never done a kernel compiling before and I don't want to try it.

Ok, so that's a relief - with Arch you just upgrade your kernel (grcsecurity) via Pacman. Perhaps not the right place to ask details; when the kernel has been upgraded the previous settings in grsecurity are surely lost. When do you re-configure grsecurity settings for the new kernel?