Researchers have identified a new vulnerability in the Linux kernel which could enable an attacker to take complete control of a vulnerable system. The flaw is in all versions of the 2.4 and 2.6 Linux kernels. The Linux kernel vulnerability is a NULL pointer dereference vulnerability that derives from the kernel’s failure to validate a function pointer before dereferencing it. The flaw, discovered by two members of the Google security team, has been fixed by a patch for the Linux kernel that was made available Thursday.
In an advisory posted to the Full Disclosure mailing list, Tavis Ormandy of Google described the details of the vulnerability.
In the Linux kernel, each socket has an associated struct of operations
called proto_ops which contain pointers to functions implementing various
features, such as accept, bind, shutdown, and so on.
If an operation on a particular socket is unimplemented, they are expected
to point the associated function pointer to predefined stubs, for example if
the “accept” operation is undefined it would point to sock_no_accept(). However,
we have found that this is not always the case and some of these pointers are
left uninitialized.
This is the second such flaw found in the Linux kernel in the last month. In July another researcher found a flaw in the Linux 2.6 kernel that enabled him to bypass the security protections in the kernel and even defeat the security enhancements in SELinux.
In his advisory, Ormandy laid out some mitigations for the flaw that he and Julien Tinnes discovered.
“Recent kernels with mmap_min_addr support may prevent exploitation if the sysctl vm.mmap_min_addr is set above zero. However, administrators should be aware that LSM based mandatory access control systems, such as SELinux, may alter this functionality. It should also be noted that all kernels up to 2.6.30.2 are vulnerable to published attacks against mmap_min_addr,” he wrote.
