Linux kernel: New exploit provides root rights
Even security experts are unsure whether the vulnerability has been fixed in the latest kernel versions. There is also a dispute about the authorship.
A security vulnerability in Linux puts systems at risk.
(Bild: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
A newly discovered vulnerability in the Linux kernel allows attackers with access to a system to extend their rights and take over the system. Working test exploits for the kernels of current Linux distributions already exist – the vulnerability is currently still unpatched.
There have been reports of a new vulnerability in the kernel, which allows local privilege escalation (LPE), circulating on social networks for days, but the public discussion about it did not really get off the ground. Only after a request from the heise-Security editorial team on the oss-security mailing list did confirmation come late Thursday evening: It is probably a zero-day vulnerability, i.e. an unfixed vulnerability in all kernel versions.
The discoverer of the error – more on the authorship later – exploits a race condition in the gsm_dlci_config function within the GSM subsystem of the kernel, which, with some effort, leads to a root shell. Condition: The GSM functions of the kernel as well as support for Xen virtualization must be activated – and the attacker must already have a user account on his target system, for example after injecting code into the web server.
(Bild: Screenshot / heise security)
The editors were able to exploit the vulnerability on virtual machines with a standard installation of Debian 12 "Bookworm" and Ubuntu 23.10 – Ubuntu 22.04 (with HWE kernel) and Fedora are also vulnerable, according to a reader report. The exploit developers include a utility program that helps those willing to experiment to adapt to their own operating system environment and kernel version.
The kernel developers responded on Wednesday evening with a brief discussion on their mailing list and a patch, which appears to be ineffective. At least that is what a security researcher on the ossec list reported, who had supposedly successfully tested the exploit again with the latest kernel. It therefore remains to be seen if and when the vulnerability will be effectively fixed.
Who invented it?
There is also a dispute about the discovery of the vulnerability. A security researcher uploaded a "proof of concept" to GitHub three weeks ago, but the alleged discoverer claims that he published it illegally. He also developed a second variant of the exploit. Two detailed articles about the bug, published by competing developers, are just as similar as the source code of the PoC.
Regardless of who discovered the bug – many administrators of multi-user Linux systems are likely to go into the weekend with a bad feeling. Experience has shown that it takes some time for a security patch to make it from the kernel sources into the major Linux distributions. Exploitable privilege escalation bugs in the kernel or the central glibc library have occurred in the recent past, but are quite rare overall.
(cku)
