Topic: Linux Kernel Flaw Gives Hackers a Back-Door Access (CVE-2010-3081, getsockopt)

[Samker]

Linux is well-known for its security advantages over many other operating systems, but that doesn't mean it's immune to problems.

A Linux kernel flaw first discovered earlier this month, for example, gives hackers a way to not just gain root privileges in 64-bit Linux operating systems but also to leave a "back door" open for further exploitation later.

CVE-2010-3081: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3081 , as the high-profile vulnerability is known, affects virtually all users of 64-bit Linux distributions, including RHEL, CentOS, Debian, Ubuntu, CloudLinux, SuSE and more. It was introduced into the Linux kernel back in 2008, and a hacker by the name of 'Ac1db1tch3z' last week published details on exploiting it: http://seclists.org/fulldisclosure/2010/Sep/268

Essentially, the vulnerability stems from a problem with the way the Linux kernel validates memory ranges when allocating memory on behalf of 32-bit system calls. The result was that on a 64-bit system, a local attacker could perform malicious multicast "getsockopt" calls to gain root privileges.

The vulnerability is not a problem on 32-bit Linux systems, which are immune to this particular exploit.

Ineffective Workarounds

Since the exploit was made public, multiple major Linux installations have reported hack attempts that tried to use it to gain superuser privileges, according to security firm Ksplice. Several temporary workarounds were published shortly thereafter for RHEL and others, but they did not fully fix the vulnerability; rather, modified versions of the exploit could still be used to gain access later.

Ksplice on Saturday released a tool to help Linux users determine whether their machines have already been exploited by looking for the exploit's signature "back door": http://www.ksplice.com/uptrack/cve-2010-3081
Users of compromised systems should follow their standard incident-handling procedures, Ksplice said.

To fix the problem on uncompromised systems, meanwhile, users can take advantage of a no-cost, 30-day trial on Ksplice's "Uptrack" service, which will fix the vulnerability on production systems for free without having to reboot: https://www.ksplice.com/signup

The Linux kernel has already been patched, and many affected Linux distributions have also released fixes, including:

- Ubuntu: http://www.ubuntu.com/usn/usn-988-1
- Red Hat: https://rhn.redhat.com/errata/RHSA-2010-0704.html
- Debian: http://security-tracker.debian.org/tracker/CVE-2010-3081
- CentOS: http://bugs.centos.org/view.php?id=4518


Another Kernel Flaw

Coincidentally, a second and similar Linux exploit known as CVE-2010-3301 was also recently discovered and fixed last week in the Linux kernel: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3301
That problem derived from the fact that the registers on 64-bit kernels were not correctly filtered when performing 32-bit system calls on a 64-bit system. This, too, could also allow local attackers to gain root privileges.

Ubuntu's Friday update addressed the CVE-2010-3301 exploit as well. RHEL is immune to this particular problem, while developers at Fedora,Debian: http://security-tracker.debian.org/tracker/CVE-2010-3301 and other distributions are currently working on addressing it.

In the meantime, users can also consider using the chkrootkit tool to help find signs of tampering: http://www.chkrootkit.org/

(PCW)

[bugmenot]

hope it was patched