Google’s Project Zero has discovered a major Linux kernel vulnerability. This vulnerability exists for kernel versions 3.16 through to 4.18.8, beginning in August 2014. Project Zero is the name of a team of security analysts employed by Google and tasked with finding zero-day vulnerabilities.
The vulnerability is a use-after-free (UAF) attack, which works by exploiting the cache invalidation bug in the Linux memory management system, allowing an attack root access to the target system. UAF vulnerabilities are a type of memory-based corruption bug. Once attackers gain access to the system, they can cause system crashes, alter or corrupt data, and gain privileged user access.
Jann Horn, the white hat hacker who discovered the vulnerability says his PoC has been made available to the public and “takes about an hour to run before popping a root shell”. Linux kernel maintainers have responded to the vulnerability rapidly, fixing the issue with a patch in only two days. Linux kernel maintainers fast response has put other Linux distributions under scrutiny after Debian and Ubuntu took over a week to provide updates on the issue.
Two versions, Debian 16.04 and Ubuntu 18.04 have still not been patched as of Wednesday 26 September. Ubuntu have responded to the criticism to announce they will likely be ready to release the patches around October 1.
Researcher Horn warns that although this vulnerability has been patched, attackers may find another way, this is particularly a concern since Linux distributions don’t publish kernel updates regularly. This vulnerability highlights the importance of having a secure kernel configuration and is something users should be vigilant about.
This is the latest in notable discoveries for Jann Horn, who also discovered the Meltdown and Spectre vulnerabilities affecting modern CPUs.