A serious Linux kernel vulnerability has been fixed

Security researchers at startup Perception Point discovered a serious vulnerability (CVE-2016-0728) affecting the Linux kernel.

A Linux kernel vulnerability, coded as CVE-2016-0728, affecting versions 3.8 and higher will be fixed today. According to researchers at startup Perception Point who discovered the vulnerability, the flaw affects the Linux Kernel since 2012. The flaw has impacted more than tens of millions Linux machines over the time, including Android devices running the Kit-Kat version and higher.

“The Perception Point Research team has identified a 0-day local privilege escalation vulnerability in the Linux kernel. While the vulnerability has existed since 2012, our team discovered the vulnerability only recently, disclosed the details to the Kernel security team, and later developed a proof-of-concept exploit. As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets). ” states a blog post published by the Perception Point. 

While in attack scenarios against Linux server it is necessary a physical access to the machine, in the case of Android mobile devices a malicious app could exploit the flaw.

The vulnerability, CVE-2016-0728, resides in the keyring facility, a mechanism for drivers to retain or cache security data, authentication keys, certificates, encryption keys and other data in the kernel.

“CVE-2016-0728 is caused by a reference leak in the keyrings facility. Before we dive into the details, let’s cover some background required to understand the bug.” continues the post.

Each process can create a keyring for the current session and eventually assign it a name. The keyring object can be shared between different processes by referencing it with the assigned name.

“The leak occurs when a process tries to replace its current session keyring with the very same one.”

The outline of the steps that to be executed by the exploit code is as follows:

1. Hold a (legitimate) reference to a key object
2. Overflow the same object’s usage
3. Get the keyring object freed
4. Allocate a different kernel object from user-space, with a user-controlled content, over the same memory previously used by the freed keyring object
5. Use the reference to the old key object and trigger code execution

The researchers at Perception Point expressed their concern for mobile devices while for Linux machine it is sufficient to apply the update, for mobile devices users will have to wait for a fix released by carriers and manufacturers, but patch distribution could be an activity that will take a lot of time.

Perception Point also published a proof-of-concept code exploit for the Linux kernel flaw on Github.

Pierluigi Paganini

(Security Affairs – Linux kernel, hacking)