Kernel Exploit v2.6.37 ~ v3.8.9

For discussions about security.
Post Reply
Message
Author
User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

Kernel Exploit v2.6.37 ~ v3.8.9

#1 Post by Q5sys »

This affects all Kernels from 2.6.37 through 3.8.9 if they were built with the PERF_EVENTS option.

Exploit report can be found here: http://web.nvd.nist.gov/view/vuln/detai ... -2013-2094
The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.
Just an FYI. Shouldn't affect us much since we run as root anyway, but being aware is always beneficial.

tytower

#2 Post by tytower »

I don't think publishing such material is helpful to the general user .
I'm not a newbie but I have no idea how to use this to my advantage but I might go off and have a look if you post it here .

Secondly it will scare the average user into thinking about unknown security worries which all systems have but now this post focuses the worry unnecessarily on Puppy

I would suggest a separate area for such security issues might be more covert and access given on request rather than just being randomly published for all to read . What do you think ?

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#3 Post by Q5sys »

tytower wrote:I don't think publishing such material is helpful to the general user .
I'm not a newbie but I have no idea how to use this to my advantage but I might go off and have a look if you post it here .
Whether a user takes advantage of this information is their personal choice. If they dont care, they can simply move along to another thread. If they do care, and they choose to look into this, that's their choice. If they has no care to educate himself/herself about this... that's their choice as well.
tytower wrote:Secondly it will scare the average user into thinking about unknown security worries which all systems have but now this post focuses the worry unnecessarily on Puppy
Did you read the last line of my post? This is not intended to scare anyone. It's an FYI, so ifs something someone does care about they can look into it, and address that issue for themselves. This kernel issue effects ALL linux distros. So it's not focusing anything on puppy. And the security issue isnt unknown... its very known thats why its being publicly discussed. To raise awareness so people can (if they choose) address this problem.
tytower wrote:II would suggest a separate area for such security issues might be more covert and access given on request rather than just being randomly published for all to read . What do you think ?
Uh... its in the Security forum. Besides, one of the strengths of Open Source Development is that when bugs and flaws are found they are openly discussed and talked about so that:

A.) they can be fixed and everyone can be aware that they NEED to fix it.
B.) So people can learn and hopefully not have to deal with the same problem again.

Keeping Flaws and bugs secret and private only works to the advantage of those who wish to exploit those flaws to exploit other peoples systems.

Besides... if this information was needed to be kept 'covert'... the US Government would NOT be publicly releasing it. And the Linux Kernel Developers would also not be publicly releasing it.

tytower

#4 Post by tytower »

Yes well when you are prepared to step back and have another read, the important part is not to scare Puppy users and you do .

It is hard enough getting people to try Puppy or any Linux distro without giving them a reason not to.

Don't you think my suggestion of a closed area with entry as needed is a sensible approach? After all, only the very experienced would know what you are talking about anyway.

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#5 Post by 01micko »

Putting this in perspective, an attacker would have to be in your system anyway, so as long as you have the usual precautions in place then the is no need to panic! :)
Puppy Linux Blog - contact me for access

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#6 Post by Q5sys »

tytower wrote:Yes well when you are prepared to step back and have another read, the important part is not to scare Puppy users and you do .
I presented a simple factual statement. That statement in and of itself is not scary or threatening or anything else. How a person chooses to take that statement has nothing to do with me. It has everything to do with them. Since I have no control over the behavior of others, I see no reason to try to censor myself because it 'might' scare someone.

tytower wrote:It is hard enough getting people to try Puppy or any Linux distro without giving them a reason not to.
If someone is concerned about Computer exploits... then they'd already be using linux since its more secure than Windows by orders of magnitude. Anyone who would choose not to use linux because of the few flaws or explots. Microsoft had 131 security exploits that were publicly confirmed in the last 3 months.
Since microsoft's code is closed source, its harder for exploits to be publicly found and fixed. This is why its so much more exploitable. The Linux Kernel on the other hand has thousands and thousands of people looking at it all the time. That's why problems are found and fixed so much quicker.
Between the Linux Kernel and the Windows Kernel... the Linux Kernel is far more secure and stable. Someone who wants a secure Operating System would not be scared of linux because an exploit every once in a while.
And if en exploit was enough to stop someone from trying an OS... well they might as well never use a computer ever again.
tytower wrote:Don't you think my suggestion of a closed area with entry as needed is a sensible approach? After all, only the very experienced would know what you are talking about anyway.
No I dont think its a sensible approach. Knowledge deserves to be free for those that want to learn. Free access to information allows everyone to learn and grow. Closing it off so 'only certain people' have access is dangerous. It doesnt matter if only a few would know how to use it. If someone see this and doesnt understand it... they have the freedom to choose to either A.) Just go and read something else, or B.) Decide to try to learn what all this means and grow.

Stepping to the side for a moment, from your signature I thought you'd be sensible about not keeping information private. But perhaps you are one of those who believes the Government when they say they need to keep all their information and records secrets for 'our' good. Governments love to restrict access to information because they are aware that knowledge is power, and they want to limit the ability for anyone to use that information against them.

Linux is not a dictatorship where certain people control information. It's freely open to anyone who wants it.
01micko wrote:Putting this in perspective, an attacker would have to be in your system anyway, so as long as you have the usual precautions in place then the is no need to panic! :)
Agreed, no reason to panic. And as I said in my first post, since we run as root anyway, its usefulness is limited. However since there are developers here who are working to create more robust multi-user systems, this may be of interest to them when they are trying to build a new release and are thinking about what kernel version to use.
I'm wondering if the patch will get back ported to the LTS kernel.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#7 Post by Flash »

Since users of a shared OS are often the intended targets of attacks, the solution - provided by Puppy :) - is to give each user his or her own multisession DVD and teach them how to use it. That way, any malware they may pick up while running as root is not shared by other users of the OS. It is either deleted if they shut down without saving, or saved in a session on the DVD where it can be isolated and examined.

User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

#8 Post by James C »

http://arstechnica.com/security/2013/05 ... ilent-fix/
The fix to the Linux kernel was published last month. Its documentation did not mention that the code patched a critical vulnerability that could jeopardize the security of organizations running Linux in highly sensitive environments. This lack of security advisories has been standard practice for years among Linus Torvalds and other developers of the Linux kernel—and has occasionally been the subject of intense criticism from some in security circles.

Now that a fix is available in the kernel, it will be folded into all of the affected stable kernel releases offered by kernel.org, which maintains the Linux core code. Individual distributions are expected to apply the fix to their kernels and publish security updates in the coming days.

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#9 Post by Q5sys »

James C wrote:http://arstechnica.com/security/2013/05 ... ilent-fix/
The fix to the Linux kernel was published last month. Its documentation did not mention that the code patched a critical vulnerability that could jeopardize the security of organizations running Linux in highly sensitive environments. This lack of security advisories has been standard practice for years among Linus Torvalds and other developers of the Linux kernel—and has occasionally been the subject of intense criticism from some in security circles.

Now that a fix is available in the kernel, it will be folded into all of the affected stable kernel releases offered by kernel.org, which maintains the Linux core code. Individual distributions are expected to apply the fix to their kernels and publish security updates in the coming days.

I swear ars has something against the linux community. Any chance they get to talk trash they do. Most Linux Kernel devs openly state that anything can be a vulnerability. (which is true). This tends to make some people feel like they dont focus enough on security. Linus has made countless comments about the 'security above everything else' mentality, and he disagrees with it. See: his google+ post.

Usually the Kernel devs dont make huge announcements about any patch period. It just gets patched and they move on. For some reason their lack of sensationalism about security patches are taken as a negative. Ironicly though M$ only puts out 1 notice a month about security fixes, and ars thinks thats just fine. Ars also thinks its fine when MS holds a critical security fix for another month simply because it didnt meet the merge window for release.
Sigh...

User avatar
Iguleder
Posts: 2026
Joined: Tue 11 Aug 2009, 09:36
Location: Israel, somewhere in the beautiful desert
Contact:

#10 Post by Iguleder »

Guys, let's not forget that anyone runs code on Puppy (including hackers) is already running as root (or has many easy ways to become root).

This vulnerability exists in Puppy, but its impact on Puppy's overall security is minimal.
[url=http://dimakrasner.com/]My homepage[/url]
[url=https://github.com/dimkr]My GitHub profile[/url]

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#11 Post by Q5sys »

Iguleder wrote:Guys, let's not forget that anyone runs code on Puppy (including hackers) is already running as root (or has many easy ways to become root).

This vulnerability exists in Puppy, but its impact on Puppy's overall security is minimal.

From my first post:
Q5sys wrote:Just an FYI. Shouldn't affect us much since we run as root anyway, but being aware is always beneficial.
From my third post:
Q5sys wrote:And as I said in my first post, since we run as root anyway, its usefulness is limited.
This really only affects puppy releases that are multi-user like FatDog64. And even in those situations it's only a minimal effect.

Post Reply