back to article Linux remote root bug menace: Make sure your servers, PCs, gizmos, Android kit are patched

A Linux kernel flaw that potentially allows miscreants to remotely control vulnerable servers, desktops, IoT gear, Android handhelds, and more, has been quietly patched. The programming blunder – CVE-2016-10229 – exposes machines and gizmos to attacks via UDP network traffic: any software receiving data using the system call …

  1. Anonymous Coward
    Anonymous Coward

    The issue was discovered by Google's Eric Dumazet, and quietly dealt with at the end of 2015 with a small fix applied to the open-source kernel.

    .

    .

    Then this month, Google issued a bunch of security fixes for Android

    .

    .

    So, in short, yes, there is a remote kernel-level code execution vulnerability in Linux, which sounds like the worst of the very worst, but it is pretty much patched by now – and it appears to be tricky to exploit. It was silently addressed in the kernel source over a year ago, and fixed in updates to machines earlier this year, but only now has it come to wider attention.

    Oh, so Google are quite prepared to drop their noisy and swift approach to announcing bugs in other people's code when it affects their own product? It's taken them well over a year to include the fix in their own product, yet they're quite happy to start trash-talking about flaws in other people's products after 90 days regardless of the consequences to users (many of whom are also Google customers).

    What a bunch of duplicitous immature w*************.

    1. Orv Silver badge

      And of course the Android ecosystem being what it is, the only way for most people to get the fix will be to buy a new phone.

      1. zanto
        FAIL

        Do no evil...... my arse!

      2. alain williams Silver badge

        android ecosystem ...

        like my Samsung smart-phone - they stopped producing updates very quickly. I asked and was told that they had determined that ''the last update provided what their customers needed'' - translation ''we have sold it and can't be bothered to maintain it, we would rather that you bought a new one''.

        1. Anonymous Coward
          Anonymous Coward

          Re: android ecosystem ...

          The operators are worse. I know that there are updates available for my Samsung phone, but SFR chooses not to make them available, so the only way to get them would be a root&reflash with a "native" Samsung Android build.

        2. Marcel

          Re: android ecosystem ...

          It's a choice of the manufacturer. And therefor a choice of the consumer. You could buy a Fairphone and enjoy it a bit longer than these disposable Samsungs.

          https://www.fairphone.com/en/android-6-coming-to-fairphone-2/

      3. sisk

        Meh, any phone old enough to be effected and not getting updates anymore has worse and easier exploited bugs than this in the Android code.

      4. John Brown (no body) Silver badge

        "And of course the Android ecosystem being what it is, the only way for most people to get the fix will be to buy a new phone."

        I must admit to having been rather surprised by an update for my Sammy Galaxy S5 a little while ago. At least now I know why it happened and thumbs up to Sammy for pushing an update to what is probably a defunct model nowadays.

      5. Roland6 Silver badge

        And of course given the smartphone manufacturing and retail supply chain, that's most probably a newly released model sometime after Aug~Sep this year...

  2. a_yank_lurker

    Not Worried Now

    Using kernel 4.9.20 currently, just checked. Thanks for the warning!

    1. Anonymous Coward
      Anonymous Coward

      Re: Not Worried Now

      All my boxes here and my vps's are 4.9 or 4.10.

      My openwrt router on the other hand is 4.4. Great.

      Looks like I know what I'll be doing today. At least I have the option to compile a new kernel unlike practically every other router out there that may or may not be vulnerable.

      1. asdf

        Re: Not Worried Now

        >My openwrt router on the other hand is 4.4. Great.

        According to link below the stable LEDE image (reboot or whatever) has already been patched (since mid December last year). Not sure about OpenWRT 15.05 though. All the more reason to migrate over at least your internet facing router I suppose. Not to mention very nice to see how often opkg update; opkg list-upgradable | awk -F ' - ' '{print $1}' | xargs opkg upgrade actually gets security fixes for LEDE.

        https://forum.openwrt.org/viewtopic.php?id=70583

        1. This post has been deleted by its author

        2. asdf

          Re: Not Worried Now

          Took a downvote because I guess someone didn't get memo Openwrt is now basically dead and almost all the Openwrt devs moved over to LEDE (sounds almost like a cyanogenmod to LineageOS situation). Heard something about they perhaps merging again but currently all the development action is over at LEDE (4.4 kernel vs 3.18 for Openwrt, Openwrt last submitted patch was early February, etc).

          1. Chronos

            Re: Not Worried Now

            LEDE just updated the 4.4 kernel to 4.4.61 so any builds after today are definitely immune.

          2. Anonymous Coward
            Meh

            Re: Not Worried Now

            No, you simply got a down vote, because, well everyone does.

            I swear there is one lonely person that spends their entire day doing down votes. See how many posts have just one poor lonely down vote.

  3. Paul Crawford Silver badge

    DD-WRT?

    Seems no updated for DD-WRT for my TP-Link router since 2013 or so, so the big question* is this bug present in its kernel build?

    [*] - Yes, there are obviously much bigger questions out there. Some even with > 3 syllables in more than one location, but in the context of this forum and embedded stuff, this is big enough,

    1. asdf

      Re: DD-WRT?

      Have to go here (link below) to get the latest greatest DD-WRT (still on ancient kernel if I remember right). Since I don't use DD-WRT for anything internet facing probably won't bother to find out if this CVE is patched or even applicable and then update to one of these "bleeding" edge images.

      https://dd-wrt.com/site/support/other-downloads?path=betas%2F2017%2F

      1. bombastic bob Silver badge
        Unhappy

        Re: DD-WRT?

        with older wifi routers using 2.4 and 2.6 kernels, I have to wonder if they're affected...

        (well i suppose open source could be fixed and re-flashed...)

  4. Nolveys

    Openvpn and Bind

    I just did a quick grep through the current openvpn and bind sources, no mention of MSG_PEEK. Touch wood.

    I think those are the only Internet-facing udp consumers that I am currently using. I'll have to be more through later today.

    Damn bugs.

    1. asdf

      Re: Openvpn and Bind

      >only Internet-facing udp consumers

      Dnsmasq for dhcp from ISP? NTP?

  5. Anonymous Coward
    Anonymous Coward

    Oh well just one of many bugs my Huawei phone won't get updates for...

    1. Steve Davies 3 Silver badge

      but you made the decision

      To buy a device that like many similar ones is a dead end. No patches, no updates. Nada, zilch.

      It is a sad fact that the majority of phones sold won't get this and a thousand other patches.

      Perhaps when Google gets it act together and makes its own phones and hopefully follows Apple with at least 4 years of updates other makers will follow suit. IMHO, Android needs this badly.

  6. sitta_europea Silver badge

    "Linux distros, such as Ubuntu and Debian, were distributing fixed builds of the kernel by February this year. "

    s/this/last/;

  7. Peter X

    Red Hat

    So how did Red Hat manage to completely avoid this?

    1. Anonymous Coward
      Anonymous Coward

      Re: Red Hat

      Seems they did not avoid this entirely, at least not for RHEL 7.

      This was introduced in 7.2, kernel-3.10.0-327.el7

      https://github.com/torvalds/linux/commit/89c22d8c3b278212eef6a8cc66b570bc840a6f5a

      Patched in kernel-3.10.0-327.28.2.el7 with upstream patches discussed in this article.

      https://github.com/torvalds/linux/commit/197c949e7798fbf28cfadc69d9ca0c2abbf93191

  8. sisk

    So....all normal then?

    Just like every single time a Linux vulnerability makes the news (which seems to still be pretty much every single time a major Linux vulnerability is found) the patch to fix it is already available before the press can get their stories out. Except this time the patch is not only available but actually already applied to all but some edge cases. The biggest bunch of unpatched devices by far are going to be ancient phones that don't get security updates anymore and thus have more easily exploited bugs in place from Android code. The next biggest batch is going to be the mostly neglected personal servers sitting under nerds' desks the world over that the owners never think about because they just sit there doing their jobs, but now that the story's out those won't remain mostly neglected for long. (Speaking of which, I need to go look up how to use the package manager in Alpine again I guess since I seem to have forgotten in the year and a half or so since I last logged onto that box.)

    So....yeah. No need to worry here.

    1. DanDanDan

      Re: So....all normal then?

      Um... You neglected to mention all those routers that are running some version of embedded linux! That's a far bigger target, a far more important vulnerability, and a far more serious issue than some nerds' home DNS server.

  9. Anonymous Coward
    Anonymous Coward

    Don't worry!

    My iPhone is fine.

    1. asdf

      Re: Don't worry!

      >https://www.theregister.co.uk/2017/04/05/broadcom_wifi_chip_bugs/

      For today but not like it doesn't need its patches as well. Still nice to get the patch directly from the manufacturer like clock work telecom and everyone else be damned.

    2. Anonymous Coward
      Anonymous Coward

      Re: Don't worry!

      You should worry, for quite a while, your iPhone was wide open vulnerable to something way easier to exploit that this,. But because it was Apple, and everyone in the press is keen to carry on getting free stuff (at your expense, inflated RRP), nobody really talked about it..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like