SCF Advanced Search


Members
Stats
  • Total Posts: 32654
  • Total Topics: 9905
  • Online Today: 1248
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)











Author Topic: Linux Kernel Flaw Gives Hackers a Back-Door Access (CVE-2010-3081, getsockopt)  (Read 5232 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7444
  • KARMA: 312
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


Linux is well-known for its security advantages over many other operating systems, but that doesn't mean it's immune to problems.

A Linux kernel flaw first discovered earlier this month, for example, gives hackers a way to not just gain root privileges in 64-bit Linux operating systems but also to leave a "back door" open for further exploitation later.

CVE-2010-3081: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3081 , as the high-profile vulnerability is known, affects virtually all users of 64-bit Linux distributions, including RHEL, CentOS, Debian, Ubuntu, CloudLinux, SuSE and more. It was introduced into the Linux kernel back in 2008, and a hacker by the name of 'Ac1db1tch3z' last week published details on exploiting it: http://seclists.org/fulldisclosure/2010/Sep/268

Essentially, the vulnerability stems from a problem with the way the Linux kernel validates memory ranges when allocating memory on behalf of 32-bit system calls. The result was that on a 64-bit system, a local attacker could perform malicious multicast "getsockopt" calls to gain root privileges.

The vulnerability is not a problem on 32-bit Linux systems, which are immune to this particular exploit.

Ineffective Workarounds

Since the exploit was made public, multiple major Linux installations have reported hack attempts that tried to use it to gain superuser privileges, according to security firm Ksplice. Several temporary workarounds were published shortly thereafter for RHEL and others, but they did not fully fix the vulnerability; rather, modified versions of the exploit could still be used to gain access later.

Ksplice on Saturday released a tool to help Linux users determine whether their machines have already been exploited by looking for the exploit's signature "back door": http://www.ksplice.com/uptrack/cve-2010-3081
Users of compromised systems should follow their standard incident-handling procedures, Ksplice said.

To fix the problem on uncompromised systems, meanwhile, users can take advantage of a no-cost, 30-day trial on Ksplice's "Uptrack" service, which will fix the vulnerability on production systems for free without having to reboot: https://www.ksplice.com/signup

The Linux kernel has already been patched, and many affected Linux distributions have also released fixes, including:

- Ubuntu: http://www.ubuntu.com/usn/usn-988-1
- Red Hat: https://rhn.redhat.com/errata/RHSA-2010-0704.html
- Debian: http://security-tracker.debian.org/tracker/CVE-2010-3081
- CentOS: http://bugs.centos.org/view.php?id=4518


Another Kernel Flaw

Coincidentally, a second and similar Linux exploit known as CVE-2010-3301 was also recently discovered and fixed last week in the Linux kernel: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3301
That problem derived from the fact that the registers on 64-bit kernels were not correctly filtered when performing 32-bit system calls on a 64-bit system. This, too, could also allow local attackers to gain root privileges.

Ubuntu's Friday update addressed the CVE-2010-3301 exploit as well. RHEL is immune to this particular problem, while developers at Fedora,Debian: http://security-tracker.debian.org/tracker/CVE-2010-3301 and other distributions are currently working on addressing it.

In the meantime, users can also consider using the chkrootkit tool to help find signs of tampering: http://www.chkrootkit.org/

(PCW)

Samker's Computer Forum - SCforum.info

Sponsored Links:




bugmenot

  • SCF Member
  • **
  • Posts: 33
  • KARMA: 2
hope it was patched

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising