[grahamf]

Linux bug imperils tens of millions of PCs, servers, and Android phones | Ars Technica

For almost three years, millions of servers and smaller devices running Linux have been vulnerable to attacks that allow an unprivileged app or user to gain nearly unfettered root access. Major Linux distributors are expected to fix the privilege escalation bug this week, but the difficulty of releasing updates for Android handsets and embedded devices means many people may remain susceptible for months or years.

The flaw, which was introduced into the Linux kernel in version 3.8 released in early 2013, resides in the OS keyring. The facility allows apps to store encryption keys, authentication tokens, and other sensitive security data inside the kernel while remaining in a form that can't be accessed by other apps. According to a blog post published Tuesday, researchers from security firm Perception Point discovered and privately reported the bug to Linux kernel maintainers. To demonstrate the risk the bug posed, the researchers also developed a proof-of-concept exploit that replaces a keyring object stored in memory with code that's executed by the kernel.

Question 1: Does this affect the BB10 ART?
Question 2: Does this affect the Priv
Question 3: if so, how long until Blackberry patches it?

[Bla1ze]

No one is going to be able to answer that yet. As it stands, there's nothing from BB SIRT.

Incident Response Team - United States

https://twitter.com/bbsirt

A guess would be...

1). Likely.. however, given the ART implementation it would likely fail as it's not a 'standard' installation of Android. instead, it's full of symlinks and dead-ends which most attacks aren't aware of / don't account for.

EDIT: Actually, it only exploits Kit Kat and higher, as the ART is on Jelly Bean, it's irrelevant.

2). Likely, and if it is it would be a part of the security updates pushed out by Google / BlackBerry. As BlackBerry has noted, they don't really need to wait for Google to patch anything, if it's a high priority they can hot fix such things with their own solutions.

3). HAHAHA! Update the ART... it's still 'broke' from their last update.. don't count on a swift turnaround unless there's actual documentation of the exploit actively being exploited. A proof-of-concept is scary but if there's no real world indications of it being exploited, things always tend to move slower for any company, not just BB.

"As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets)," Perception Point researchers wrote. "While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible."

[Rob Longmire]

Zero-day Linux kernel security flaw leaves millions of Android users vulnerable

Where is blackberry on this problem? Does it affect the priv? Will they fix it or have they already?

Posted via CB10

[zocster]

I'd say the same risk as these other ones are until M is out for it

[Jonneh]

Well, let's take this step-by-step.

First, the source article says, "To exploit the newly disclosed flaw, "you have to have local access to the machine," Pats says, [...]" - obviously if someone has local access to your device, they can do whatever.
Second, if the attacker (which, again, the article states there have been no attacks at all, and this goes all the way back to 2012, as per the article) doesn't have local access, they need to force the user to install malware to their device. This usually means going into Settings and allowing the installation of Unknown Applications. It's a checkmark which you can use to sideload a well-known (and safe) app not available in the Play Store, and then just switch right back off.
Third, Google releases monthly security patches. The only real threat that has occurred was Stage Fright, and that was immediately put to its death by Google (and many other manufacturers and even third party apps like the Textra team, who now include their very own Stage Fright protection in case your manufacturer of your older phone didn't do anything about it).
Fourth, BlackBerry runs the Priv, and we all know BlackBerry isn't going to allow something like this. :-P

Source: Zero-Day Flaw Found in Linux - DataBreachToday

[Uzi]

Yep probably will be patch on February security update

[DaedalusIcarusHelios]

BlackBerry has made enough changes that they might have prevented the exploit or made it harder to attain just based on the extra protections in place. Although it could be they don't help in this particular incident.

Edit: since the threads were merged, I was speaking of the Priv's Android implementation

Posted via CB10

[Uzi]

Thread merged

[senectus]

its a bit overblowen

To exploit the newly disclosed flaw, "you have to have local access to the machine," Pats says, or else build malware to gain access to the machine, after which the vulnerability can be exploited to gain root-level access. "Using the API that the kernel provides, you can get root access to the machine."

So you need physical access (in which case all bets are off anyway) OR to have the user install software that takes advantage of another flaw to give you access (this makes it bloody hard to pull off as you would need to rely on someone really dumb doing something really stupid).

[thurask]

this makes it bloody hard to pull off as you would need to rely on someone really dumb doing something really stupid

Never underestimate the ingenuity of the average idioț.

[senectus]

Never underestimate the ingenuity of the average idioț.

Average idiots dont worry me, its the extra special ones that you need to watch out for... :-)

Having said that, the point of my comment was that this isnt a really borad problem, its a bad flaw yes. It affects LOTS of devices, yes. Is it likely to actually be a problem that its likely to see the light of day across a large number of those devices?
no, not really.

[Ment]

Reading about this vulnerability its likely your phone would shut down due to battery before you'd get a result. People are trying this on their Linux desktop boxes and still aren't able to get this proof of concept to work after a couple hours of their desktop CPU hammering on it.

In other words unless someone has more info, this is a big pile of FUD.

[Soulstream]

its a bit overblowen



So you need physical access (in which case all bets are off anyway) OR to have the user install software that takes advantage of another flaw to give you access (this makes it bloody hard to pull off as you would need to rely on someone really dumb doing something really stupid).

A lot of Android exploits are like this. You must have physical access to the device, unlock the device AND install a malicious app on the phone. And people wonder why android users are not actually concerned about all the exploits.

[senectus]

Yeah rule of thumb is if an attacker has physical access, you're screwed.
Doesn't matter if it's a iPhone, win phone, blackphone or bloody carrier pigeon. Physical access means all bets are off...

[Bla1ze]

Well, let's take this step-by-step.

First, the source article says, "To exploit the newly disclosed flaw, "you have to have local access to the machine," Pats says, [...]" - obviously if someone has local access to your device, they can do whatever.
Second, if the attacker (which, again, the article states there have been no attacks at all, and this goes all the way back to 2012, as per the article) doesn't have local access, they need to force the user to install malware to their device. This usually means going into Settings and allowing the installation of Unknown Applications. It's a checkmark which you can use to sideload a well-known (and safe) app not available in the Play Store, and then just switch right back off.
Third, Google releases monthly security patches. The only real threat that has occurred was Stage Fright, and that was immediately put to its death by Google (and many other manufacturers and even third party apps like the Textra team, who now include their very own Stage Fright protection in case your manufacturer of your older phone didn't do anything about it).
Fourth, BlackBerry runs the Priv, and we all know BlackBerry isn't going to allow something like this. :-P

Source: Zero-Day Flaw Found in Linux - DataBreachToday

Get out of here. There's no room for LOGIC here, sheesh. Only chicken little sky is falling actions and complaining are allowed here. On that note, WHY HASN'T BLACKBERRY FIXED THIS YET??!!!?!!! I DEMAND A REFUND.

[Superdupont 2_0]

Question 1: Does this affect the BB10 ART?

A1: Does BB10 run on the Linux Kernel? I would guess the ART is never affected by Linux Kernel vulnerabilities.

Question 2: Does this affect the Priv?

A2: My best guess would be YES!

Question 3: if so, how long until Blackberry patches it?

A3: That will be indeed interesting to watch.

[Superdupont 2_0]

Well, let's take this step-by-step.

First, the source article says, "To exploit the newly disclosed flaw, "you have to have local access to the machine," Pats says, [...]" - obviously if someone has local access to your device, they can do whatever. [...]

Source: Zero-Day Flaw Found in Linux - DataBreachToday

Unfortunately your quote is incomplete/incorrect.
The full quote says: "To exploit the newly disclosed flaw, "you have to have local access to the machine," Pats says, or else build malware to gain access to the machine, after which the vulnerability can be exploited to gain root-level access [...]"

I don't know exactly how Linux works, but basically local code execution via unpatched browser (plugins) vulnerabilities or other unpatched software should be possible on all OSes (which is why you want to patch all your software regularly, not only the OS).
And at least on Android it is very easy to smuggle malware into Google Play and convince a few million people to install it.

Well, normally the damage from local code execution is limited, when you are not logged-in as an admininistrator, respectively when there is no way to gain root access.
That's the whole point why people should use Windows only with an user account, for example.
And a malicious app is normally only as malicious as the apps permission it got from the user.

However, if the attacker or an app would gain root access through a bug like this one, then it's "game over" even on Linux.
In such cases I would normally wipe my drive and start from scratch with a clean install...

[tollfeeder]

Somebody should try the exploit on their Priv, then we'll know https://gist.github.com/gcmurphy/1c91644718d28695da2d

Depending on the Grsecurity settings it might not even be affected. Time will tell I guess. By the way - at least some Linux distributions already got patches.

Via Pasta CB10

[thurask]

Question 1: Does this affect the BB10 ART?
Question 2: Does this affect the Priv
Question 3: if so, how long until Blackberry patches it?

1: No, the kernel version is too old.
2: Dunno. The original blog post notes that SELinux could get in the way of this, plus there's no telling what the other BlackBerry modifications (Grsec and whatnot) would do. Would need someone to try to execute this code on-device.
3: February?

[ToniCipriani]

Get out of here. There's no room for LOGIC here, sheesh. Only chicken little sky is falling actions and complaining are allowed here. On that note, WHY HASN'T BLACKBERRY FIXED THIS YET??!!!?!!! I DEMAND A REFUND.

You forgot the "this wouldnt've have happened if the Priv ran BB10".

[DenverRalphy]

Unfortunately your quote is incomplete/incorrect.
The full quote says: "To exploit the newly disclosed flaw, "you have to have local access to the machine," Pats says, or else build malware to gain access to the machine, after which the vulnerability can be exploited to gain root-level access [...]"

To be fair. He did address the missing portion of the quote in his 2nd point.

[Superdupont 2_0]

To be fair. He did address the missing portion of the quote in his 2nd point.

Well, he didn't mention the possibility of drive-by infections and obviously ignored that about 10% of Google Play apps are malicious, some like Brain Test and its derivatives can even root the device while Google continously failed to detect these apps in their store.

Only thing I can clearly agree is that the Priv maybe isn't vulnerable or will get the patch soon enough, but in general any privilege escalation vulnerability must be patched for good reasons.


Posted via CB10

[Jonneh]

Unfortunately your quote is incomplete/incorrect.
The full quote says: "To exploit the newly disclosed flaw, "you have to have local access to the machine," Pats says, or else build malware to gain access to the machine, after which the vulnerability can be exploited to gain root-level access [...]"

I don't know exactly how Linux works, but basically local code execution via unpatched browser (plugins) vulnerabilities or other unpatched software should be possible on all OSes (which is why you want to patch all your software regularly, not only the OS).
And at least on Android it is very easy to smuggle malware into Google Play and convince a few million people to install it.

Well, normally the damage from local code execution is limited, when you are not logged-in as an admininistrator, respectively when there is no way to gain root access.
That's the whole point why people should use Windows only with an user account, for example.
And a malicious app is normally only as malicious as the apps permission it got from the user.

However, if the attacker or an app would gain root access through a bug like this one, then it's "game over" even on Linux.
In such cases I would normally wipe my drive and start from scratch with a clean install...

As DenverRalphy said, the second part of the quote is in point two; I dissected it piece-by-piece.
I don't doubt the severeness of a bug allowing an attacker root access to a user's device; everything you've said describing that is true, as it would be potentially devastating. What I'm pointing out, though, is that this is not going to happen. Media like to use Android's openness as a way to make quick bucks through clickbait headlines--money runs the world. It's easy to do this by saying Android is so open that it's riddled with bugs/exploits which allow malware and disease and death. Back before Android was popular, a headline like this would pop up maybe once every year and a half. That turned into once a year once Android gained steam, and now it's several. Interestingly, no one ever is affected, nothing scary happens, and the world moves on. As I stated above, Stage Fright was the only real threat, and it was squashed immediately. I'm going on 6 1/2 years of Android devices now, and never once have I had malware, spyware, a virus, anything, nothing. And never once have any of my family members (who aren't careful at all). And never once has someone in a forum I've read, with the exception of them installing some crappy app full of ads which caused popups and other annoying junk which was easily remedied by uninstalling the app. I'm not saying this is 100% safe and okay, and there are always cheap users who try to sideload paid pirated apps from random Chinese websites for free (and that's where 99.9% of any malicious apps hide), but we're all going to be just fine despite the fear-mongering headlines.
And, again, as this is not only Google but BlackBerry involved as well, "we're fine" goes double.

TL;DR: We're all going to be fine; business as usual. Another day, another scary headline.

[Dunt Dunt Dunt]

As DenverRalphy said, the second part of the quote is in point two; I dissected it piece-by-piece.
I don't doubt the severeness of a bug allowing an attacker root access to a user's device; everything you've said describing that is true, as it would be potentially devastating. What I'm pointing out, though, is that this is not going to happen. Media like to use Android's openness as a way to make quick bucks through clickbait headlines--money runs the world. It's easy to do this by saying Android is so open that it's riddled with bugs/exploits which allow malware and disease and death. Back before Android was popular, a headline like this would pop up maybe once every year and a half. That turned into once a year once Android gained steam, and now it's several. Interestingly, no one ever is affected, nothing scary happens, and the world moves on. As I stated above, Stage Fright was the only real threat, and it was squashed immediately. I'm going on 6 1/2 years of Android devices now, and never once have I had malware, spyware, a virus, anything, nothing. And never once have any of my family members (who aren't careful at all). And never once has someone in a forum I've read, with the exception of them installing some crappy app full of ads which caused popups and other annoying junk which was easily remedied by uninstalling the app. I'm not saying this is 100% safe and okay, and there are always cheap users who try to sideload paid pirated apps from random Chinese websites for free (and that's where 99.9% of any malicious apps hide), but we're all going to be just fine despite the fear-mongering headlines.
And, again, as this is not only Google but BlackBerry involved as well, "we're fine" goes double.

TL;DR: We're all going to be fine; business as usual. Another day, another scary headline.

People like scary stuff..... or we wouldn't have "Pride and Prejudice and Zombies" hitting our theaters.

[smcv]

A1: Does BB10 run on the Linux Kernel?

it does not.