The Linux Kernel since version 3.16 to 4.18.8 has an unfixed vulnerability, as disclosed by Google Project Zero. The vulnerability was first exposed by Jann Horn, a cybersecurity researcher under the Project Zero program. Now known as CVE-2018-17182, it is a cache invalidation bug that affects the memory management Linux module. Successful exploitation of the bug enables the attacker to gain root access in the Linux-based computer. “While the bug itself is in code that is reachable even from relatively strongly sandboxed contexts, this blogpost only describes a way to exploit it in environments that use Linux kernels that haven’t been configured for increased security (specifically, Ubuntu 18.04 with kernel linux-image-4.15.0-34-generic at version 4.15.0-34.37),” said Horn.
The underprivileged user, using CVE-2018-17182 can alter memory and create an artificial denial of service attack. Horn described the exploit as “takes about an hour to run before popping a root shell.” The Linux kernel maintainers have acted on the issue and released patched versions of the Linux kernel: 4.18.9, 4.14.71, 4.9.128, and 4.4.157.
The only problem in the nutshell is not all Linux distro offers kernel upgrades quick enough to prevent possible exploits from being taken advantage of. Upgrading the Linux kernel is also a process that no Linux newbie can perform since all the drivers for a Linux computer come from the kernel. There are instances that users’ loss hardware functionality, especially the working operations of computer peripherals like mice, scanners, printers, etc.
“(Updates are made available) However, a fix being in the upstream kernel does not automatically mean that users’ systems are actually patched,” explained Horn. He expressed the displeasure with major Linux distribution: Ubuntu and Debian, as those two are not providing end-users with updated version of the patched kernel quick enough. “Linux distributions often don’t publish distribution kernel updates very frequently. For example, Debian stable ships a kernel based on 4.9, but as of 2018-09-26, this kernel was last updated 2018-08-21. Similarly, Ubuntu 16.04 ships a kernel that was last updated 2018-08-27. Android only ships security updates once a month. Therefore, when a security-critical fix is available in an upstream stable kernel, it can still take weeks before the fix is actually available to users – especially if the security impact is not announced publicly.
In this case, the security issue was announced on the oss-security mailing list on 2018-09-18, with a CVE allocation on 2018-09-19, making the need to ship new distribution kernels to users clearer. Still: As of 2018-09-26, both Debian and Ubuntu (in releases 16.04 and 18.04) track the bug as unfixed,” said Horn.
The lag between the patch availability and the actual installation of the patch opens a window of opportunity for cybercriminals to use the exploit with a high success rate. All advance users of Linux can apply a newer patched Linux kernel without trouble, as they have enough experience on how to recover from a failed installation of the kernel if it happens.
