Recently, a critical zero day vulnerability in a Linux kernel module was publicized. If successfully exploited on a Linux device, this vulnerability would allow an attacker to potentially execute arbitrary code with escalated privileges.
Devices running Linux kernel 3.8 or higher are potentially vulnerable to this bug, meaning millions of Linux devices and around two thirds of all Android devices are potentially affected. Relevant IoT devices could be vulnerable as well. At time of writing, there have been no publicized observations of exploits against this vulnerability in the wild. Given the sheer number of possible devices vulnerable, we advised all of our customers to review their systems for the vulnerability and mitigate with the appropriate steps detailed below.
The vulnerability, CVE-2016-0728, resides in the Linux kernel’s key retention service provided by a module that allows a process to store security information. Specifically, the bug can be exploited by a process making repeated calls to the keyctl system call where vulnerable code does not check for an integer overflow. If the counter is reset to zero, the kernel will then free the keyring object in memory where an attacker could then attempt an use-after-free attack.
When a process makes a keyctl call with a session key already in use, the Linux kernel will then increment a reference count (available to view in /proc/keys). This counter is a 32-bit integer, even on 64 bit systems. When the counter overflows, effectively returning to zero, the kernel will free the object and a malicious program may insert a crafted object running under escalated privileges.
In order to exploit this vulnerability, an attacker would need the ability to make keyctl calls on the target host. The attacker would also need to make 2^32-1 calls to keyctyl in order to reset the counter, then free the kernel object where the attacker could then leverage function pointers in the struct key_type object for remote code execution under escalated privileges. The researchers at Perception Point, who revealed this vulnerability, noted this exploit took some 30 minutes to run on an Intel Core i7-5500 CPU.
Click here for a more detailed technical description of this kernel service.
We recommend a careful review of all Linux based devices on your network that are using kernel version 3.8 or higher, specifically with “enable access key retention support” enabled. Wherever possible, vulnerable kernels should be patched immediately. Multiple versions of various Linux distributions, to include Red Hat Enterprise Linux 7, CentOS Linux 7, and Debian Linux 8.x and 9.x, are potentially vulnerable. Here’s a guide on which distributions have readied a patch and how to install.