Dangerous security flaw patched in Linux

Keywords: Match:

Aug. 18, 2010

A critical vulnerability in the Linux kernel that gives attackers access to root via X server has been patched by Linus Torvalds. Meanwhile, kernel developer James Morris reports on the first-annual Linux Security Summit (LSS), which covered topics including usability, hardening the kernel, and API standardization.

Linux folk have long shown an almost smug, if largely justified, confidence in the superior security of their operating system, especially compared to Windows. Yet, as Linux takes on a greater role, especially in the server and mobile device worlds, the threat of malicious attacks grows larger.

Now, it turns out that Linux may not be quite as secure as we thought.

A "highly dangerous" privilege escalation vulnerability that would permit an attacker to execute arbitrary code as root from any GUI application via X server, was recently patched in the Linux kernel, writes Lucia Constantin on Softpedia. The flaw, which affects both x86_32 and x86_64 platforms, is said to have been present since the release of Linux 2.6.0.

The vulnerability was discovered by Rafal Wojtczuk, principal researcher at Polish security research firm Invisible Things Lab (ITL), and was first reported to the X.org security team in June. As described by ITL founder Joanna Rutkowska, in a blog post yesterday. Wojtczuk uncovered the vulnerability when he was working on a GUI virtualization project in ITL's own Qubes OS, an operating system that runs each application in a separate virtual machine.

A potential attack on the vulnerability would give an unprivileged user process access to X server, enabling any GUI application to unconditionally escalate to root, writes Rutkowska. An attack would not actually take advantage of any bug in X server, but rather invades via any GUI application, such as a sandboxed PDF viewer, explains Rutkowska.

Once compromised, for example via a malicious PDF document, the attack "can bypass all the Linux fancy security mechanisms, and escalate to root, and compromise the whole system," she adds.

On 13 August, Linus Torvalds (pictured) implemented an initial fix for the problem, and several patches have been added since then for kernel versions 2.6.27.52, 2.6.32.19, 2.6.34.4, and 2.6.35.2. Meanwhile, a Red Hat security advisory gave the bug a "high" severity rating, reports Rutkowska.

Yesterday, Wojtczuk published a paper on the flaw named, "Exploiting large memory management vulnerabilities in Xorg server running on Linux."

The vulnerability demonstrated the challenges of letting applications securely communicate with the GUI layer (via X server in case of Linux), writes Rutkowska. This process "usually involves a very fat GUI protocol (think X protocol, or Win32 GUI API) and a very complex GUI server," she adds.

In her blog, Rutkowska also slips in a pitch for Qubes, which she says "is much more secure than other sandboxing mechanisms, such as BSD jails, or SELinux-based sandboxes." Qubes not only eliminates kernel-level exploits, but also "dramatically slims down GUI-level attacks," she claims.

Linux Security Summit tackles mobile security, usability issues

Linux kernel developer James Morris posted a blog on Namei.org, reporting on the first annual Linux Security Summit (LSS), which was held Monday, Aug. 9, in Boston, a day before the start of LinuxCon 2010.

The event sought to bring in members of the end-user community, as well as developers and security experts. Fewer end-users than expected joined the approximately 70 attendees, yet the first LSS was "a very productive and collaborative event," writes Morris.

Z. Cliffe Schreuders speaking on security usability at the LSS

Mobile security was one of the core issues discussed at the summit, "with the year of the Linux desktop now apparently permanently canceled due to smartphones and similar devices," writes Morris.

In particular, MeeGo developers discussed their progress on the MeeGo Security Framework, he adds. In the area of network device security, meanwhile, Stephen Hemminger of Vyatta presented on the topic of integrating security into a router, writes Morris.

Security usability was said to be the topic of several presentations, including a talk on high-level policy language work by Josh Brindle (Lolpolicy). Meanwhile, Z. Cliffe Schreuders spoke on his FBAC-LSM usability research project (see image above).

The issue of core kernel security also drew a lot of attention, although it does not appear that ITL's discovery of the GUI vulnerability was publicly discussed. Brad Spengler spoke on his experiences developing grsecurity, and there was said to be much discussion of a central dilemma with Linux security.

As Morris, puts it, "As most of our protection mechanisms operate within the kernel, attacks on the kernel can render these mechanisms useless, so it is important to try and harden the kernel as much as possible."

According to Morris, other challenges with implementing kernel security include the fact that core kernel developers are not always receptive to enhanced security, and that proposed solutions are often not technically acceptable to upstream developers. In addition, there is limited security expertise in upstream projects, he adds.

Standardized Linux security APIs? Don't hold your breath

The LSS featured an opening panel discussion on the viability of developing a standard Linux security API. However, the general consensus was there were too many fundamentally different security models to develop a set of security APIs such as one might find in a proprietary OS, writes Morris.

Other LSS discussions included sessions on "Out of Tree" security features, EVM (Extended Verification Module), security management, SELinux Sandbox, and SSSD.

The Linux Security Summit has its roots in the Linux security development community, which emerged with the development of the LSM (Linux Security Modules) framework, writes Morris. It is also said to build upon events such as the SELinux Symposium, as well as mini-summits at LCA (Linux.conf.au) events held in 2008 and 2009, and a double security track at the 2009 Linux Plumbers Conference.

Availability

The blog by ITL's Joanna Rutkowska on the repaired Linux vulnerability may be found here, and the Softpedia report should be here.

The blog report by James Morris on the first Linux Security Summit, complete with links to presentations, may be found here.

-- Eric Brown

Do you have comments on this story?

Talkback here
NOTE: Please post your comments regarding our articles using the above link. Be sure to use this article's title as the "Subject" in your posts. Before you create a new thread, please check to see if a discussion thread is already running on the article you plan to comment on. Thanks!

Related Stories:

(Click here for further information)

Home \| News \| Articles \| Forum \| Polls \| About \| Contact

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| ROI Calculators \| Tech Podcasts \| Tech Video \| VARs \| Channel News
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| Web Buyer's Guide \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep
Use of this site is governed by our Terms of Service and Privacy Policy. Except where otherwise specified, the contents of this site are copyright © 1999-2011 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.

Home \| News \| Articles \| Forum \| Polls \| About \| Contact

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| ROI Calculators \| Tech Podcasts \| Tech Video \| VARs \| Channel News
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| Web Buyer's Guide \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep
Use of this site is governed by our Terms of Service and Privacy Policy. Except where otherwise specified, the contents of this site are copyright © 1999-2011 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.