Blame
I would imagine its probably Microsofts fault.
Linux rocks!!!
A software developer has uncovered a bug in most versions of Linux that could allow untrusted users to gain complete control over the open-source operating system. The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at …
Hurrah for weasel words. Have you considered a job in politics?
Obviously there's hundreds of people doing exactly what he does, most find almost nothing, together they find a fraction of the bugs found by "those whose job it is" (as well as not repairing them).
It's like the incredibly improbable numberplate I have, XY-32-TP --- what's the chance, 1 in 45million!!
"A software developer has uncovered a bug in most versions of Linux that could allow untrusted users to gain complete control over the open-source operating system.
The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable"
Then....
"The latest bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature"
Make your minds up!
...in 3... 2... 1...
Honestly folks, the fact that there's a bug in the Linux Kernel does not surprise me - *any* program big enough to be useful is big enough to have bugs. However, the fact that an *independent* developer was able to find the bug by reviewing the source code is something that could not have happened with either Windows or OSX.
Good, bad? The choice is yours. I personally run Windows XP on my desktop and Ubuntu Linux on my web/mail servers at home - use the tool best suited for the job sort of thing.
OMG ANUTHER bug?!!? ycant thees ppl lrn 2 chk there codes b4 releesig it?1/1 Linux just suxxors!! Linuxs got more holes then swis ches now. y does ppl stil use that gabrage U shuld all switch to a BSD they gots waaaaay more seccurrity and more sable too.
</parody>
Just thought I'd try a parody of the usual post found in Windows security issue comment threads.
This guy popped up with a fairly obscure but quite cute exploit that is basically a local privilege escalation.
If this was a remotely expoitable vuln, then ok, but really the biggest class of issue is the dumb user running some random file from the web and that is all this amounts too in terms of threat.
While I'm glad he raised and disclosed the bug enabling me to patch my kernels, I think this guy is making a lot of fuss over basically a couple of sloppy lines of code.
In fairness the entire net/socket.c file has a couple of example of "use before check" bugs,
it wouldn't take more then an hour to fix and for the most part they bomb correctly.
The real issue is being allowed to mmap page 0, which if you can't do then his exploit fails miserably.
Most distro kernels come with mmap_min_addr enabled anyway, if they don't frankly it's not hard to add a line to the /etc/systctl.conf file like vm.mmap_min_addr=4096
or run "sudo sysctl -w vm.mmap_min_addr=4096" on the command line.
Sure if your using wine or pulse-audio then there are issues as they need to mmap low addresses but for a lot of people stopping a user from downloading and running untrusted code is more difficult then sandboxing the system and more effective in security terms
And as for slating red-hat, they are on the case, see http://kbase.redhat.com/faq/docs/DOC-18042
Sure There are security issues with Linux but why not write a patch, submit to the LKML and be done with it.
Theo de Raadt, the leader of the OpenBSD OS had this to say about Linux and Torvalds:
If anyone wants a choice quote from me about the recent Linux holes,
this is what I have to say:
Linus is too busy thinking about masturabating monkeys, he doesn't
have time to care about Linux security.
For the record, this particular problem was resolved in OpenBSD a
while back, in 2008. We are not super proud of the solution, but it
is what seems best faced with a stupid Intel architectural choice.
However, it seems that everyone else is slowly coming around to the
same solution.
"It's interesting to me that I picked it out two weeks before the people whose job it is to find this sort of stuff,"
What is the point of saying this???? This just proves open source is working. Presumably he is about as likely to find a flaw as anyone else (discounting different levels of smarts). If this was Microsoft and he was finding bugs with fuzzing or what not then he would have a point. The purpose of Linux is to rely on users like himself to find these bugs. Open source is working, move along.
For many commercial customers, upgrading immediately to the latest bug fix releases of the kernel is not a realistic option. For example if you use OCFS2 you might have to wait a little while for them to update their kernel modules. Or if you're an HP customer and use their Proliant Support Pack with their updated drivers you also have to wait for a version to be released that supports the kernel you want to move to. Typically this happens about every 3 months and they will always lag behind the the very latest kernels because kernel releases are a moving target and HP have to stop at some point to QA before they do a release.
I can't speak for IBM or Dell as I don't have any experience with those vendors. Would be interested to hear from anyone who does.
As root type "sysctl vm.mmap_min_addr". If the result is 4096, the problem has been dealt with. If it is 0, read the man page for "sysctl.conf".
WINE is for running Windows programs on a Linux box, but it has limitations. Last time I read about it, WINE was unable to install or run Windows malware correctly.
Closed source drivers can cause some hassle (none in this case). If some kit provides so much benefit for you that it is worth the hassle, ask the supplier to provide a minimal open source wrapper around a binary blob like nVidia have for years.
Your headline is more than misleading: the latest -and not-so-latest- Linux is indeed fully patched, only Red Hat left a hole in there, which is actually not even there anymore in their "latest" (as you put it) release. So "Bug in latest Linux gives untrusted users root access" actually reads "Hack in old RHEL gives users root access". And even so, coming from the guy who discovered that a person running programs as root can get root access (Shock! Horror!), I have my doubts.
From article: "or desktop environments such as Wine."
Wine is not a desktop environment, but a Windows emulator. It needs a Windows-compatible insecure memory layout. There are also some "ported" programs that use a bundled version of Wine underneath. True Linux programs (including Linux desktop environments like Gnome) don't care about the mmap_min_addr setting. So this is a case of getting insecurity for catering to Windows-originated software.
Security features do not happy end users make - as nicely demonstrated by AC@22:00, and the comments about redhat breaking the feature on purpose. End users are made happy by more features, which require more development effort, which requires lower barriers to entry.
If you're playing market catchup (as Linux is on the desktop) then this may mean loosening things up to make emulations, wrappers and crude ports work. I must presume that the sco binary wrappers that eased Linux server uptake 10 years ago had some similar requirements.
The other area for lowering barriers for entry is making things easier for developers. This was a major part of how Microsoft won PC/Mac round 1 in the 80s. I'd be surprised if this wasn't also part of the RHEL decision. Easier for developers means allowing them to be a bit sloppier, or making them jump through fewer hoops to achieve a goal that would be hugely painful to reach correctly (pulseaudio seems to fit into this bucket).
I think that the Linux kernel team have made some better tradeoffs in this regard than the Windows team, with de Raadt and company just refusing to play. It's a factor in the fight for desktop marketshare, and unfortunately it's not in Linux's favour.
@By Marvin the Martian Posted Tuesday 3rd November 2009 21:16 GMT
It's like the incredibly improbable numberplate I have, XY-32-TP --- what's the chance, 1 in 45million!!
=========================
What's the formal name for this logical fallacy ? I've heard it referred to as "The Golf Course Fallacy", as in 'what's so special about the blade of grass my ball landed on', but I don't think that is correct.
The quest to know what I'm talking about has been downsized to an epic scavenger hunt ... could you help me out ?
The Reg seems to be going overboard with its balance of views regarding Windows vs Linux this week.
This is good as it gives more cred to the good stuff.
Also good to note that it seems only RHEL due to the other Distro's correct implementation of the mmap_min_addr feature and that the bug has already been fixed in the latest upcoming 2.6.32 kernel.
I wonder how long it would have taken Apple or MSFT to fix something like this.
oooh, the one with the most enterprise grade solutions in FTSE organisations too...
egg....face...interaction.
As a side note... I thought LINUX was superior in every way, was completely secure and would *never* be victim of the same mistakes/bugs that befall Windows or OS X?
My linux is certainly 100% secure...I can't get the damned thing to run X, so a permanent "power off" state is in effect. Formatting with Win2k8 will be a lot less painful than a descent into CLI hell trying to get display drivers to work in LINUX.
"Theo de Raadt, the leader of the OpenBSD OS had this to say about Linux and Torvalds:"
Ah yes, OpenBSD, the project that gave us OpenSSH and its remotely-exploitable root exploit.
Of course bugs are discovered in software. But when that happened, you might have expected the openssh.com website to have a big red warning saying there was a critical problem and telling people to upgrade urgently. Did they? Nope. The announcement is buried in the smallprint at http://www.openssh.com/security.html in weasly negative-speak:
"OpenSSH 2.3.0 and newer are not vulnerable to the "Feb 8, 2001: SSH-1 Daemon CRC32 Compensation Attack Detector Vulnerability", RAZOR Bindview Advisory CAN-2001-0144. A buffer overflow in the CRC32 compensation attack detector can lead to remote root access. This problem has been fixed in OpenSSH 2.3.0. However, versions prior to 2.3.0 are vulnerable."
He spends his free time looking for minor security holes in the Linux kernel does he? Either he's hoping some security firm will give him a job or he's already being paid by somebody to do it.
Whinging about developers not finding the bugs won't help his case much when many of those developers give their time for free and contribute much more than he does, by actually coding. His hobby, it appears, is floccinaucinihilipilification. Finding a couple of minor holes hardly justifies all the crowing he's doing. From the way he's gobbing off you'd think he'd single handedly fixed several major holes, where as all he's done is discovered a couple of minor ones.
Time, I think, that he got himself a sense of perspective - a little lesson of "world big, you tiny" is required.
"However, the fact that an *independent* developer was able to find the bug by reviewing the source code is something that could not have happened with either Windows or OSX."
Not the case. OSX is open source except for desktop cosmetics. One of my work colleagues put a Windows source CD on my desk, made available under Microsoft's "Shared Source" program. I haven't read it, because I don't want Microsoft suing me for copyright or patent infringement if I contribute anything they consider similar to an open source program. To sell Windows to government and security sensitive environments, MS wouldn't make these sales without disclosing source. So Windows users are not protected from code review because of Microsoft's inability to keep source code in house.
This gets worse, because black hats who have no intention of contributing to open source have access to Windows source code and white hats, who also technically have access, for reasons given above are unlikely to want to read it unless paid by employers with very large security budgets specifically to do so.
The world needs a new OS.
Not a new version of Windows, MacOS, Linux, Unix, OpenVMS, OS400, zOS, or anything else.
It needs a new OS built from the ground up to be fundamentally secure. Written from scratch, without worrying about end features and groovy interfaces. Start with the very basics and build it up. If everything at lower levels is secure, there's no reason everything added can't be secure
Why not? Expensive.
And I bet it still has bugs and holes!
What most of the people bouncing up and down and pointing "you're insecure" fingers at Linux fail to realise is the nature of this exploit.
It's a local root exploit: that is you have to be running code on the machine in order to take advantage of the problem.
How do you do that? Well, you persuade someone to download and run some malware on the machine. Good luck with that, it's not impossible but I'm sure you'll find some gullible idiot somewhere on the net. On the other hand, that gullible idiot is likely to fall for more overt trickery (eg don't use two-factor authentication, it's not secure because you don't need a password).
Server admins aren't in any particular hurry to patch local root exploits because the unwashed masses aren't allowed anywhere near the machine ....
You Linux fanboys make me laugh. Well, you would if you weren't so sad.
You forever moan about windows running in admin mode, yet when it comes to linux you write:
"Did i read right? This is a local exploit. Therefore the hacker needs to be actually at your computer? In that case not too big an issue."
You laugh whenever there is a windows exploit, yet when it comes to Linux, you write:
"Honestly folks, the fact that there's a bug in the Linux Kernel does not surprise me - *any* program big enough to be useful is big enough to have bugs."
This is why people in the real world don't take you seriously.
Anyway, is Linux still alive? I thought everyone moved to BSD a long time ago....
I love the LINUX fanboi's response to LINUX problems like this. Rational, reasonable, stating sensible facts, and mitigations thereof.
The very same people who scream like little girls about Microsoft doing anything similar, as if the greatest offence in the history of mankind had been commited and is completely unforgivable.
Software development is the one of the most complex tasks mankind has ever undertaken, there will always be vulnerabilities in code, stop being arses thinking your precious littel hobbyist operating systems are any different.
Blinkered, idiotic losers. You really are.
"What's the formal name for this logical fallacy ? I've heard it referred to as "The Golf Course Fallacy", as in 'what's so special about the blade of grass my ball landed on', but I don't think that is correct."
I don't think it is any of the accepted "logical fallacies". I usually call it a "selection effect" (and wikipedia calls it a "selection bias"). I suppose it might be a "post hoc ergo propter hoc" thing, but it really ought to have a name, suitably dripping in ridicule, because it happens far too often IMHO. How about "placing your bet after the end of the race"?
Secure OS? Well, it would work with just a secure kernel, really, as long as modules like drivers run in a less-privileged layer and there are sufficient monitoring functions in said secure kernel.
Aussi boffins are already on the way to doing that:
http://www.theregister.co.uk/2009/08/17/secure_kernel/
"You forever moan about windows running in admin mode, yet when it comes to linux you write:
Did i read right? This is a local exploit. Therefore the hacker needs to be actually at your computer? In that case not too big an issue.
The reason they say that is because of the extra difficulty to remotely exploit Linux when compared to Microsoft operating systems. See Metasploit.org for details.
"As root type "sysctl vm.mmap_min_addr". If the result is 4096, the problem has been dealt with. If it is 0, read the man page for "sysctl.conf"."
Ah yes, no problem. Obvious to anyone really. You just have to sparkelate your griblets and verify that the munxing mask has a value of 37. It goes without saying that you use the dhyef.fgrtty utility to fix it.
Sigh.
The bug itself is just one of those things that happens sometimes (and apparently less often with Linux than Windows) but the above quote is why Linux will never win against Windows in the home environment. In a server environment it's tolerable to have esoteric commands and config files and reasonable to expect administrators to know how to use them. Back in the real world where 90% of computers operate it isn't.
In fact I'd go further and say that that kind of thing is a potential Achilles heel for Linux. 'Security through obscurity' never was very effective but 'sbscure security configuration' is worse.
``On October 22, he wrote a proof of concept attack for the local root exploit.''
That's more than four months *after* the patch that fixed it (setting mmap_min_addr to non-zero) was committed to the kernel:
http://lkml.indiana.edu/hypermail/linux/kernel/0906.0/01475.html
The problem with so-called "Security Enhanced" Linux is that it re-enabled userland access to page zero (why? Who knows) while the mainline kernel explicitly denied mapping to anything below 0x1000. This raised NULL pointer dereference issues from a simple DoS to a privilege escalation issue. The same thing bit FreeBSD not so long ago and we now have a sysctl (security.bsd.map_at_zero, disabled on legacy releases but enabled by default on > 8.0-Beta) to disable userland mmap to page zero. Whether SELinux still allows zero page mapping or not I don't know.
Theo has quite a good analysis of this sort of problem here:
http://www.openbsd.org/papers/ven05-deraadt/index.html
As for being a local issue, this means local as in local user, which includes anyone with SSH access or using any exploit that allows executable code injection with local user credentials. Attackers do not need physical access, so the mantra "If someone has access to your box, it's not your box any more" does not apply here.
Not sure which camp you're in, if you're a windows user, I guess that the Windows Registry is clear and understandable to you.
The number of MS Technotes that start with something like "Open the registry editor, find key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun
and set to 0xFF or whatever bitmap disables autorun on the device in question according to the following table..." followed by the table with hex numbers in it for each of the devices windows can use.
This is a REAL example, and would be only be slightly less meaningful if it were written in Russian to someone like my wife. And have you tried to work out how some services and background tasks get started on Windows!
The crux of the matter is that complex operating systems require complex configuration. It's just that most people never see the Windows stuff, because it is hidden. When you need it, it is equally cryptic, regardless of the OS.
I'm sure that OSX and BSD have equally arcane incantations, but then so did RiscOS, OS/2 and probably NeXT and BeOS.
Of course, we could have all he configurations stored in XML (shudder), in which case it would be almost impossible to change any system configuration settings without the correct tool.
"It needs a new OS built from the ground up to be fundamentally secure. Written from scratch, without worrying about end features and groovy interfaces."
VMS?
A few of these exist. The problem is that the buyers (be it Joe Bloggs for his living room machine or James Greenbackz for his multi-billion dollar company) *demand* shiny interfaces and groovy stuff with touchy-feely user-friendliness all round (talking puppy! Yay!). And they don't give a shit about security.
The world doesn't need a new OS, the world needs new users (preferably leading-L-free).
Just tested the "sysctl vm.mmap_min_addr" command on my Linux Mint box (not as root mind you - I'm no hacker so didnt want to risk a reg forums comment to root!)
Anyway, ot the response "vm.mmap_min_addr = 65536", not 4096.
So I guess it's fine and that therfore presumably ubuntu 9.04 (on which Mint 7 is based) is also ok.
Looks like this is a lot of fuss about nothing.
Good to see the attention Linux is getting though!
Filippo: "A small issue. Noone is going to bother writing a virus that targets Linux anyway."
After all, noone would want to root paypal and divert lots of money to themselves.
Try some other big names like google or yahoo with something like: http://uptime.netcraft.com/up/graph?site=www.paypal.com
What camp am I in? The camp of a software developer and home user who just wants someone to pay him to write code and for stuff to work with minimal faffing around. At the moment Windows is achieving that for me on both counts :)
If computers were still a hobby to me I'd have Linux on my server and would spend all evening neck deep inside config files..but I grew out of that. I don't mean to be rude - just the way it is. I've been in the 'alternate OS camp' once - I was an OS/2 Warp fanatic back in the day. I just don't see the point in being different at the moment nor spending time configuring my system.
I would like to see Linux supplant Windows (I learnt computing on *IX and technically I much prefer the architecture). My complaint is simply that *IX peeps /don't get it/. Until/unless *IX becomes as easy to use as Windows it ain't going to win.
Then again the day *IX becomes that easy is likely the day when it becomes bloated with pointless crap and full of security holes from services sitting there waiting for the blue moon when someone needs them.
I don't think Windows is the way it is because MS employ idiots. I think it is the way it is because it's flexible, carries a lot of historical baggage and tries to save the user from complexity. Maybe you can be both secure and easy to use but sadly I have my doubts.
Badger paws because I'm turning into an old git and El Reg don't give us a Victor Meldrew icon :)
On my Linux boxen (Fedora 4-10) I'm seeing that mmap_min_addr is set to 64k by default ... the recommended fix for this security issue. I'll bet that every other distro besides RHEL (as noted in the article) also has mmap_min_addr set to something other than 0.
Methinks it's a slow news day, or else this researcher reallyreally wants people to take him seriously. The author could take a few minutes to do some actual research, as well. Torvalds was right ... this isn't a kernel problem, and it looks to be pretty much a non-issue, contrary to the alarmist headline.
And to you freaks who are taking this opportunity to slam Linux ... your ignorance is showing.
@Kronos
"The problem with so-called "Security Enhanced" Linux is that it re-enabled userland access to page zero (why? Who knows)"
The main reason seems to be to allow DOS and 16 bit Windows programs to run on Linux under WINE. These are ancient programs designed for a single user machine with no concept of security or memory management. (I'd be interested to see if these programs still run on 64 bit versions of Windows - my experience with them is that often they don't).
Actually, this largely describes the NT kernel. All kernel objects are security-aware, and access is controlled using appropriate ACLs (rather than an overly powerful superuser).
It was well engineered -- perhaps even over-engineered, and somewhat hard to use. This (in part) led to the rest of the operating system requiring you to run with escalated privileges (Administrator) to do anything useful, an unfortunate design decision which eventually gave birth to UAC to fix.
> Well Ubuntu 9.10 x64 is set to (...) 0
The problem lies with Wine packages for Ubuntu - they quietly install a new file in /etc/sysctl.d/ which overwrites Ubuntu's default setting (65536 - see another file in the same directory) with a zero... Why it has been done this way, especially given only Win16 applications require this, I've got no idea (being disturbingly familar with dpkg I know for a fact it would be trivial to have the installer ask whether you need to run Win16 applications, possibly explaining it's a potential risk) but it means everyone installing Wine vulnerable.
Solution: in /etc/sysctl.d, copy or move 10-process-security.conf (where the 64-kB limit is set) to something like 9999-process-security.conf. This will make sure that whatever other packages do to mmap_min_addr, the last value to be written there will be non-zero. Deleting files installed by Wine there would also work in the short run but they will likely be reinstalled when Wine is updated.
" Did i read right? This is a local exploit. Therefore the hacker needs to be actually at your computer? In that case not too big an issue."
@Loki 1: Pretty silly observation. You are right. It's not an issue until you host your website on a shared host (as most people do), and one of the other 100 users on that server decides he wants to root the box :) Because of this, there isn't much stopping him :)
That, and the fact the even the most innocuous web application vulnerability may lead to total compromise of the box, even though the web server runs on a low priv user (remember now we have a local root exploit :)) Haveing such a hole in your sistem is equivalent with running everything as root, and giving root access to every user/customer. It's something that asks for a deface.