Root-access Linux bug imperils tens of millions of PCs, servers, and Android phones
- Linux bug imperils tens of millions of PCs, servers, and Android phones | Ars Technica
For almost three years, millions of servers and smaller devices running Linux have been vulnerable to attacks that allow an unprivileged app or user to gain nearly unfettered root access. Major Linux distributors are expected to fix the privilege escalation bug this week, but the difficulty of releasing updates for Android handsets and embedded devices means many people may remain susceptible for months or years.
The flaw, which was introduced into the Linux kernel in version 3.8 released in early 2013, resides in the OS keyring. The facility allows apps to store encryption keys, authentication tokens, and other sensitive security data inside the kernel while remaining in a form that can't be accessed by other apps. According to a blog post published Tuesday, researchers from security firm Perception Point discovered and privately reported the bug to Linux kernel maintainers. To demonstrate the risk the bug posed, the researchers also developed a proof-of-concept exploit that replaces a keyring object stored in memory with code that's executed by the kernel.
Question 2: Does this affect the Priv
Question 3: if so, how long until Blackberry patches it?01-19-16 05:14 PMLike 0 - Bla1zeCB OGNo one is going to be able to answer that yet. As it stands, there's nothing from BB SIRT.
Incident Response Team - United States
https://twitter.com/bbsirt
A guess would be...
1). Likely.. however, given the ART implementation it would likely fail as it's not a 'standard' installation of Android. instead, it's full of symlinks and dead-ends which most attacks aren't aware of / don't account for.
EDIT: Actually, it only exploits Kit Kat and higher, as the ART is on Jelly Bean, it's irrelevant.
2). Likely, and if it is it would be a part of the security updates pushed out by Google / BlackBerry. As BlackBerry has noted, they don't really need to wait for Google to patch anything, if it's a high priority they can hot fix such things with their own solutions.
3). HAHAHA! Update the ART... it's still 'broke' from their last update.. don't count on a swift turnaround unless there's actual documentation of the exploit actively being exploited. A proof-of-concept is scary but if there's no real world indications of it being exploited, things always tend to move slower for any company, not just BB.
"As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets)," Perception Point researchers wrote. "While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible."01-19-16 05:43 PMLike 4 - Zero-day Linux kernel security flaw leaves millions of Android users vulnerable
Where is blackberry on this problem? Does it affect the priv? Will they fix it or have they already?
Posted via CB1001-19-16 08:14 PMLike 0 -
- Well, let's take this step-by-step.
First, the source article says, "To exploit the newly disclosed flaw, "you have to have local access to the machine," Pats says, [...]" - obviously if someone has local access to your device, they can do whatever.
Second, if the attacker (which, again, the article states there have been no attacks at all, and this goes all the way back to 2012, as per the article) doesn't have local access, they need to force the user to install malware to their device. This usually means going into Settings and allowing the installation of Unknown Applications. It's a checkmark which you can use to sideload a well-known (and safe) app not available in the Play Store, and then just switch right back off.
Third, Google releases monthly security patches. The only real threat that has occurred was Stage Fright, and that was immediately put to its death by Google (and many other manufacturers and even third party apps like the Textra team, who now include their very own Stage Fright protection in case your manufacturer of your older phone didn't do anything about it).
Fourth, BlackBerry runs the Priv, and we all know BlackBerry isn't going to allow something like this. :-P
Source: Zero-Day Flaw Found in Linux - DataBreachToday01-19-16 08:40 PMLike 0 - BlackBerry has made enough changes that they might have prevented the exploit or made it harder to attain just based on the extra protections in place. Although it could be they don't help in this particular incident.
Edit: since the threads were merged, I was speaking of the Priv's Android implementation
Posted via CB10Last edited by DaedalusIcarusHelios; 01-19-16 at 11:11 PM.
01-19-16 08:50 PMLike 0 - its a bit overblowen
To exploit the newly disclosed flaw, "you have to have local access to the machine," Pats says, or else build malware to gain access to the machine, after which the vulnerability can be exploited to gain root-level access. "Using the API that the kernel provides, you can get root access to the machine."01-19-16 09:14 PMLike 0 -
-
Average idiots dont worry me, its the extra special ones that you need to watch out for... :-)
Having said that, the point of my comment was that this isnt a really borad problem, its a bad flaw yes. It affects LOTS of devices, yes. Is it likely to actually be a problem that its likely to see the light of day across a large number of those devices?
no, not really.Dunt Dunt Dunt likes this.01-19-16 11:04 PMLike 1 - Reading about this vulnerability its likely your phone would shut down due to battery before you'd get a result. People are trying this on their Linux desktop boxes and still aren't able to get this proof of concept to work after a couple hours of their desktop CPU hammering on it.
In other words unless someone has more info, this is a big pile of FUD.01-19-16 11:26 PMLike 0 - its a bit overblowen
So you need physical access (in which case all bets are off anyway) OR to have the user install software that takes advantage of another flaw to give you access (this makes it bloody hard to pull off as you would need to rely on someone really dumb doing something really stupid).01-20-16 04:11 AMLike 2 - Bla1zeCB OGWell, let's take this step-by-step.
First, the source article says, "To exploit the newly disclosed flaw, "you have to have local access to the machine," Pats says, [...]" - obviously if someone has local access to your device, they can do whatever.
Second, if the attacker (which, again, the article states there have been no attacks at all, and this goes all the way back to 2012, as per the article) doesn't have local access, they need to force the user to install malware to their device. This usually means going into Settings and allowing the installation of Unknown Applications. It's a checkmark which you can use to sideload a well-known (and safe) app not available in the Play Store, and then just switch right back off.
Third, Google releases monthly security patches. The only real threat that has occurred was Stage Fright, and that was immediately put to its death by Google (and many other manufacturers and even third party apps like the Textra team, who now include their very own Stage Fright protection in case your manufacturer of your older phone didn't do anything about it).
Fourth, BlackBerry runs the Priv, and we all know BlackBerry isn't going to allow something like this. :-P
Source: Zero-Day Flaw Found in Linux - DataBreachToday01-20-16 04:32 AMLike 7 - A1: Does BB10 run on the Linux Kernel? I would guess the ART is never affected by Linux Kernel vulnerabilities.
A2: My best guess would be YES!
A3: That will be indeed interesting to watch.Last edited by Superdupont 2_0; 01-20-16 at 07:21 AM.
01-20-16 06:50 AMLike 0 - Well, let's take this step-by-step.
First, the source article says, "To exploit the newly disclosed flaw, "you have to have local access to the machine," Pats says, [...]" - obviously if someone has local access to your device, they can do whatever. [...]
Source: Zero-Day Flaw Found in Linux - DataBreachToday
The full quote says: "To exploit the newly disclosed flaw, "you have to have local access to the machine," Pats says, or else build malware to gain access to the machine, after which the vulnerability can be exploited to gain root-level access [...]"
I don't know exactly how Linux works, but basically local code execution via unpatched browser (plugins) vulnerabilities or other unpatched software should be possible on all OSes (which is why you want to patch all your software regularly, not only the OS).
And at least on Android it is very easy to smuggle malware into Google Play and convince a few million people to install it.
Well, normally the damage from local code execution is limited, when you are not logged-in as an admininistrator, respectively when there is no way to gain root access.
That's the whole point why people should use Windows only with an user account, for example.
And a malicious app is normally only as malicious as the apps permission it got from the user.
However, if the attacker or an app would gain root access through a bug like this one, then it's "game over" even on Linux.
In such cases I would normally wipe my drive and start from scratch with a clean install...01-20-16 07:19 AMLike 0 - Somebody should try the exploit on their Priv, then we'll know https://gist.github.com/gcmurphy/1c91644718d28695da2d
Depending on the Grsecurity settings it might not even be affected. Time will tell I guess. By the way - at least some Linux distributions already got patches.
Via Pasta CB10Jonneh and Superdupont 2_0 like this.01-20-16 08:10 AMLike 2 -
2: Dunno. The original blog post notes that SELinux could get in the way of this, plus there's no telling what the other BlackBerry modifications (Grsec and whatnot) would do. Would need someone to try to execute this code on-device.
3: February?01-20-16 08:13 AMLike 0 -
- DenverRalphyRetired Network ModUnfortunately your quote is incomplete/incorrect.
The full quote says: "To exploit the newly disclosed flaw, "you have to have local access to the machine," Pats says, or else build malware to gain access to the machine, after which the vulnerability can be exploited to gain root-level access [...]"Jonneh likes this.01-20-16 10:31 AMLike 1 -
Only thing I can clearly agree is that the Priv maybe isn't vulnerable or will get the patch soon enough, but in general any privilege escalation vulnerability must be patched for good reasons.
Posted via CB1001-20-16 11:07 AMLike 0 - Unfortunately your quote is incomplete/incorrect.
The full quote says: "To exploit the newly disclosed flaw, "you have to have local access to the machine," Pats says, or else build malware to gain access to the machine, after which the vulnerability can be exploited to gain root-level access [...]"
I don't know exactly how Linux works, but basically local code execution via unpatched browser (plugins) vulnerabilities or other unpatched software should be possible on all OSes (which is why you want to patch all your software regularly, not only the OS).
And at least on Android it is very easy to smuggle malware into Google Play and convince a few million people to install it.
Well, normally the damage from local code execution is limited, when you are not logged-in as an admininistrator, respectively when there is no way to gain root access.
That's the whole point why people should use Windows only with an user account, for example.
And a malicious app is normally only as malicious as the apps permission it got from the user.
However, if the attacker or an app would gain root access through a bug like this one, then it's "game over" even on Linux.
In such cases I would normally wipe my drive and start from scratch with a clean install...
I don't doubt the severeness of a bug allowing an attacker root access to a user's device; everything you've said describing that is true, as it would be potentially devastating. What I'm pointing out, though, is that this is not going to happen. Media like to use Android's openness as a way to make quick bucks through clickbait headlines--money runs the world. It's easy to do this by saying Android is so open that it's riddled with bugs/exploits which allow malware and disease and death. Back before Android was popular, a headline like this would pop up maybe once every year and a half. That turned into once a year once Android gained steam, and now it's several. Interestingly, no one ever is affected, nothing scary happens, and the world moves on. As I stated above, Stage Fright was the only real threat, and it was squashed immediately. I'm going on 6 1/2 years of Android devices now, and never once have I had malware, spyware, a virus, anything, nothing. And never once have any of my family members (who aren't careful at all). And never once has someone in a forum I've read, with the exception of them installing some crappy app full of ads which caused popups and other annoying junk which was easily remedied by uninstalling the app. I'm not saying this is 100% safe and okay, and there are always cheap users who try to sideload paid pirated apps from random Chinese websites for free (and that's where 99.9% of any malicious apps hide), but we're all going to be just fine despite the fear-mongering headlines.
And, again, as this is not only Google but BlackBerry involved as well, "we're fine" goes double.
TL;DR: We're all going to be fine; business as usual. Another day, another scary headline.01-20-16 11:55 AMLike 4 - As DenverRalphy said, the second part of the quote is in point two; I dissected it piece-by-piece.
I don't doubt the severeness of a bug allowing an attacker root access to a user's device; everything you've said describing that is true, as it would be potentially devastating. What I'm pointing out, though, is that this is not going to happen. Media like to use Android's openness as a way to make quick bucks through clickbait headlines--money runs the world. It's easy to do this by saying Android is so open that it's riddled with bugs/exploits which allow malware and disease and death. Back before Android was popular, a headline like this would pop up maybe once every year and a half. That turned into once a year once Android gained steam, and now it's several. Interestingly, no one ever is affected, nothing scary happens, and the world moves on. As I stated above, Stage Fright was the only real threat, and it was squashed immediately. I'm going on 6 1/2 years of Android devices now, and never once have I had malware, spyware, a virus, anything, nothing. And never once have any of my family members (who aren't careful at all). And never once has someone in a forum I've read, with the exception of them installing some crappy app full of ads which caused popups and other annoying junk which was easily remedied by uninstalling the app. I'm not saying this is 100% safe and okay, and there are always cheap users who try to sideload paid pirated apps from random Chinese websites for free (and that's where 99.9% of any malicious apps hide), but we're all going to be just fine despite the fear-mongering headlines.
And, again, as this is not only Google but BlackBerry involved as well, "we're fine" goes double.
TL;DR: We're all going to be fine; business as usual. Another day, another scary headline.Jonneh likes this.01-20-16 02:32 PMLike 1
- Forum
- Android BlackBerry Phones & OS
- BlackBerry Priv
Root-access Linux bug imperils tens of millions of PCs, servers, and Android phones
Similar Threads
-
HUB: Not user friendly to add multiple attachments - Change order of "compressing menu"??
By WT44 in forum BlackBerry PrivReplies: 19Last Post: 02-07-17, 06:03 PM -
PC Plus No longer Supporting
By Nick Spagnolo in forum BlackBerry 10 AppsReplies: 65Last Post: 05-20-16, 01:01 PM -
Can I reverse direction of touch keyboard and adjust sensitivity?
By Depeche_Mode in forum BlackBerry PassportReplies: 1Last Post: 01-19-16, 04:36 PM -
Plain text file app Editor updated with new replacement and shortcut options
By CrackBerry News in forum CrackBerry.com News Discussion & ContestsReplies: 0Last Post: 01-19-16, 02:00 PM -
Swap power button and volume down button
By j4mmy in forum BlackBerry PrivReplies: 0Last Post: 01-19-16, 12:12 PM
LINK TO POST COPIED TO CLIPBOARD