Five-Year-Old Bait-and-Switch Linux Security Flaw Patched

Maintainers of the Linux Kernel project have fixed three security flaws this week, among which there was a serious bug that lingered in the kernel for the past five years and allowed attackers to bypass some OS security systems and open a root shell.

The bugs have been addressed over the last weekend, and this week, downstream Linux distros have slowly pushed patches to their users.

The three fixed issues are CVE-2016-6480, CVE-2016-6828, and CVE-2016-8655. The first two are categorized as "medium" severity, while the third is considered "high."

Five-year-old bug affected all Linux kernel versions 3.2 and up

Of the three, the third, CVE-2016-8655, is the most serious, mostly because the bug managed to stay hidden in the Linux kernel for the past five years, since August 19, 2011.

All Linux kernels version 3.2.0 and after are affected by CVE-2016-8655, which in technical terms is "a race condition in the af_packet implementation in the Linux kernel."

This bug was discovered by Philip Pettersson, a security researcher and CTF (capture-the-flag) player that specializes in Linux vulnerabilities and exploit development. Petterson told Bleeping Computer he found the bug while performing penetration testing.

Bug bypasses SMEP/SMAP security, opens root shell

"The race condition tricks the kernel into thinking it is working with the wrong kind of object - you switch it out before the kernel can react," Petterson said via email. "This leads to a dangerous condition that a hacker can exploit to take control of the kernel."

The security researcher says that an attacker, even using an unprivileged user, can cause a system to crash and run malicious code with administrative privileges. During his tests, Petterson opened a root shell on a Ubuntu 16.04 machine.

"My exploit defeats SMEP/SMAP," Petterson also added, referring to Supervisor Mode Execution Prevention (SMEP) and Supervisor Mode Access Prevention (SMAP), two security systems found on Intel chips that generate an error when a user tries to execute code or access data from the processor's inner sections (known as rings).

Because it can defeat SMEP/SMAP, the bug is quite attractive to attackers. "This can be exploited in the wild," Petterson told Bleeping Computer.

"There's not really any reliable protection measure other than updating your kernel. Or running grsecurity," Petterson said.

In October, researchers discovered Dirty COW, another race condition in the Linux kernel, that existed for far longer in the Linux kernel code, since 2007, nine years ago.