Google Hacker Discloses New Linux Kernel Vulnerability and PoC Exploit
Linux is a family of free and open-source software operating systems built around the Linux kernel. Typically, Linux is packaged in a form known as a Linux distribution (or distro for short) for both desktop and server use.
A cybersecurity researcher with Google Project Zero has released the details, and a proof-of-concept (PoC) exploit for a high severity vulnerability that exists in Linux kernel since kernel version 3.16 through 4.18.8.
Discovered by white hat hacker Jann Horn, the kernel vulnerability (CVE-2018-17182) is a cache invalidation bug in the Linux memory management subsystem that leads to use-after-free vulnerability, which if exploited, could allow an attacker to gain root privileges on the targeted system.
The use-after-free (UAF) vulnerabilities are a class of memory corruption bug that can be exploited by unprivileged users to corrupt or alter data in memory, enabling them to cause a denial of service (system crash) or escalate privileges to gain administrative access on a system.
Linux Kernel Exploit Takes an Hour to Gain Root Access
However, Horn says his PoC Linux kernel exploit made available to the public “takes about an hour to run before popping a root shell.”
Horn responsibly reported the vulnerability to Linux kernel maintainers on September 12, and the Linux team fixed the issue in his upstream kernel tree within just two days, which Horn said was “exceptionally fast, compared to the fix times of other software vendors.”
The Linux kernel vulnerability was disclosed on the oss-security mailing list on September 18 and was patched in the upstream-supported stable kernel versions 4.18.9, 4.14.71, 4.9.128, and 4.4.157 on the next day.
Debian and Ubuntu Linux Left its Users Vulnerable for Over a Week
The researcher was disappointed knowing that some major Linux distributions, including Debian and Ubuntu, left their users exposed to potential attacks by not releasing kernel updates more than a week after the vulnerability was made public.
As of Wednesday, both Debian stable and Ubuntu releases 16.04 and 18.04 had not patched the vulnerability.
However, the Fedora project already rolled out a security patch to its users on 22 September.
In response to the Horn’s blog post, the maintainers of Ubuntu says the company would possibly release the patches for the Linux kernel flaw around October 1, 2018.
Horn said that once the patch is deployed in the upstream kernel, the vulnerability and patch becomes public, which, in this case, could allow malicious actors to develop a Linux kernel exploit to target users.
Highest Selling Technical Courses of Indian Cyber Security Solutions:
Cybersecurity services that can protect your company:
Other Location for Online Courses: