Here’s another deep chink in the armor of the braindead zealots who claim Linux is inherently more secure than Windows. Julien Tinnes and Tavis Ormandy have found what could be the widest ranging vulnerability yet discovered in the Linux kernel.
Affected versions include all Linux 2.4 and2.6 versions since May 2001. This spans 2.4.4 up to and including 184.108.40.206 in the 2.4 kernel and every iteration of 2.6 from 2.6.0 up to and including 220.127.116.11.
What is this vulnerability all about? Functions in certain kernel routines are left uninitialized, so pointers aren’t validated before dereferencing. This allows local execution of code (sample POC available in both articles linked above) which compromises the machine. Compromise? Yes, pwnt.
These are known affected modules according to Redhat’s bugzilla:
That thread offers mitigation possibilities (and some commenters — see #32 and #48 — explain why those steps won’t work). According to post #27 in that thread, the exploit is already being used (as of about a week ago as I write this) to attack machines: “They entered the system through a web application exploit and then used the exploit to gain a root shell.”
This gets to the bigger problems of security. If you think of Linux as only the kernel or even the kernel plus the utilities that make it a functioning operating system, you’re seeing only one layer of vulnerability. Add another layer of complexity with various software and you’re adding more complexity and, accordingly exponentially more layers of vulnerability. If someone can get in through one door, he can often find “keys” to open other doors. That in a nutshell is what happens in cases like #27 in the Redhat bugzilla thread.
Fedora, Debian, and Ubuntu have reportedly already patched for this kernel issue. UPDATE: So has Slackware for -current and 12.2; patches are available for other releases with both 2.4 and 2.6 kernels.