A Linux kernel vulnerability in the keyring facility could potentially allow an elevation-of-privilege exploit...
to let a local user execute code in the kernel, but experts argue the danger of this flaw and how widespread it might be.
The Perception Point Research Team described the vulnerability in a blog post, and said the bug has been in the Linux kernel since 2012. The team also created a proof-of-concept exploit, but noted that no exploits have been seen in the wild.
The Perception Point team claimed that the Linux kernel vulnerability had "implications for approximately tens of millions of Linux PCs and servers, and 66% of all Android devices," but Google disputed the number of potentially affected Android devices.
Although Android is based on the Linux kernel, the modifications made to the Linux kernel for Android devices make it difficult to determine how many devices are actually affected. Google told SearchSecurity that the Linux kernel and the Android version number are not tightly coupled, so there are some devices that have Android 4.4 and a newer Linux kernel. Google said that while those devices are potentially vulnerable, there are a small number of them and certainly fewer than what the researchers claimed.
Google's lead for Android Security, Adrian Ludwig, wrote in a post on Google+ that Google has already created a patch and released it to the Android Open Source Project, as well as to manufacturers. He also said Google was investigating the claims to determine how many Android devices are at risk.
"We believe that no Nexus devices are vulnerable to exploitation by third-party applications," Ludwig wrote. "Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents third-party applications from reaching the affected code. Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in Linux kernel 3.8, as those newer kernel versions are not common on older Android devices."
The Perception Point Research Team also noted that SELinux would make it difficult to perform an exploit on Android devices, and Intel CPUs feature supervisor mode execution protection and supervisor mode access prevention that would make it difficult to exploit on Linux desktops and servers.
Steve Pate, chief architect at HyTrust, based in Mountain View, Calif., said that while there are features to protect users, the proof-of-concept code does increase the risk of an exploit.
"The finders of the bug published a clearly written article that shows how to exploit the bug," Pate said. "The amount of code needed is very small and is now widely available for all to see. Given that it will take quite some time to patch systems, the means of exploitation [are] now greater than ever."
Liviu Arsene, senior e-threat researcher for Romania-based antimalware firm Bitdefender, said the threat was reduced because of how difficult it could be to deploy the exploit code, especially on Android.
"The likelihood for such an application to make it into Google Play is remote, as it would be vetted out and potentially quickly reported by the community or security companies," Arsene said. "While it is true that users might choose to install such applications from third-party stores, it's a risk that they have previously taken in the past."
However, Tod Beardsley, engineering manager at Boston-based Rapid7 LLC, said it didn't look like the vulnerability would be very useful for an attacker, even on normal Linux desktops.
"Kernel bugs are notoriously difficult to leverage for privilege escalation, since so much outside of the attacker's control has to line up just right," Beardsley said. "It's certainly a flaw, but in the scheme of things, seems pretty 'ho-hum.' The published exploit is unreliable and it's pretty unlikely that criminals could automate this across different platforms. I don't know how an attacker could leverage this on Android without a more detailed exploit that demonstrates it actually working."
Learn how to improve admin skills by building Linux from scratch.
Learn whether Android 6.0 Marshmallow is enterprise-ready.