Linux kernel vulnerability has unknown risk, but Google has fix

A newly found Linux kernel vulnerability has garnered big headlines. Google said the risk to Android has been overstated, and experts are unsure about the danger to the wider Linux ecosystem.

A Linux kernel vulnerability in the keyring facility could potentially allow an elevation-of-privilege exploit...

to let a local user execute code in the kernel, but experts argue the danger of this flaw and how widespread it might be.

The Perception Point Research Team described the vulnerability in a blog post, and said the bug has been in the Linux kernel since 2012. The team also created a proof-of-concept exploit, but noted that no exploits have been seen in the wild.

The Perception Point team claimed that the Linux kernel vulnerability had "implications for approximately tens of millions of Linux PCs and servers, and 66% of all Android devices," but Google disputed the number of potentially affected Android devices.

Although Android is based on the Linux kernel, the modifications made to the Linux kernel for Android devices make it difficult to determine how many devices are actually affected. Google told SearchSecurity that the Linux kernel and the Android version number are not tightly coupled, so there are some devices that have Android 4.4 and a newer Linux kernel. Google said that while those devices are potentially vulnerable, there are a small number of them and certainly fewer than what the researchers claimed.

Google's lead for Android Security, Adrian Ludwig, wrote in a post on Google+ that Google has already created a patch and released it to the Android Open Source Project, as well as to manufacturers. He also said Google was investigating the claims to determine how many Android devices are at risk.

"We believe that no Nexus devices are vulnerable to exploitation by third-party applications," Ludwig wrote. "Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents third-party applications from reaching the affected code. Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in Linux kernel 3.8, as those newer kernel versions are not common on older Android devices."

The Perception Point Research Team also noted that SELinux would make it difficult to perform an exploit on Android devices, and Intel CPUs feature supervisor mode execution protection and supervisor mode access prevention that would make it difficult to exploit on Linux desktops and servers.

Steve Pate, chief architect at HyTrust, based in Mountain View, Calif., said that while there are features to protect users, the proof-of-concept code does increase the risk of an exploit.

"The finders of the bug published a clearly written article that shows how to exploit the bug," Pate said. "The amount of code needed is very small and is now widely available for all to see. Given that it will take quite some time to patch systems, the means of exploitation [are] now greater than ever."

Liviu Arsene, senior e-threat researcher for Romania-based antimalware firm Bitdefender, said the threat was reduced because of how difficult it could be to deploy the exploit code, especially on Android.

"The likelihood for such an application to make it into Google Play is remote, as it would be vetted out and potentially quickly reported by the community or security companies," Arsene said. "While it is true that users might choose to install such applications from third-party stores, it's a risk that they have previously taken in the past."

However, Tod Beardsley, engineering manager at Boston-based Rapid7 LLC, said it didn't look like the vulnerability would be very useful for an attacker, even on normal Linux desktops.

"Kernel bugs are notoriously difficult to leverage for privilege escalation, since so much outside of the attacker's control has to line up just right," Beardsley said. "It's certainly a flaw, but in the scheme of things, seems pretty 'ho-hum.' The published exploit is unreliable and it's pretty unlikely that criminals could automate this across different platforms. I don't know how an attacker could leverage this on Android without a more detailed exploit that demonstrates it actually working."

Next Steps

Learn how to improve admin skills by building Linux from scratch.

Learn four tips for better Android security.

Learn whether Android 6.0 Marshmallow is enterprise-ready.

Dig Deeper on Alternative OS security: Mac, Linux, Unix, etc.

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What is your organization's BYOD policy for Android?
Cancel
My company and most of the companies we work with, have a relatively open policy to BYOD though most D is Apple instead of Android. No opposition to either, but most production apps are exclusively (or primarily) written for iOS, So far most companies have evaded major breaches. Then there's Sony, still trying to sweep up  the damage. 
Cancel
The only restriction we have on device is that it must be ActiveSync-enabled. Otherwise, there is much more support for connecting Apple devices to projectors in the conference rooms, but that’s mostly because Apple devices were the first to be brought in by upper management when iPads and iPhones were introduced.
Cancel
So, Google has created a patch and released it to the manufacturers. Now, we just sit and wait for it it go from there to the service providers, then to our devices and we’ll be all set. That’s certainly one advantage that Apple has maintained by keeping control of their OS.
Cancel
First Linux issue I have heard of in a while. I do question on the stats provided. Is it worse than that or are we just paranoid?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close