A new zero-day vulnerability has been identified in the Linux Kernel that could allow attackers to obtain full root access by running a malicious program on the affected device. According to the report, up to 66% of Android users, and tens of millions of devices (if not hundreds of millions) are vulnerable to the exploit.
The vulnerability (CVE-2016-0728) was first discovered by a cyber security startup called Perception Point. They report that the vulnerability has existed since 2012, and has now been disclosed to the Kernel security team. They are not aware that any is currently exploiting the vulnerability. The Perception Point Research Team commented:
While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible.
Although Red Hat, SUSE and the Linux Security teams have already started to deploy patches to fix the vulnerability, the main issue relates to Android itself. There is no information yet as to when a fix will be rolled out for Android.
The vulnerability affects Android versions KitKat and above, which according to the latest figures (4th January 2016) means around 69.4% of all Android devices are vulnerable:
With many Android users using older versions on end of life devices, the chance for them to receiving a patch to fix the issue is limited.
How does the Exploit Work?
For a detailed walkthrough of the vulnerability, we recommend checking out Perception Points article.
In summary, though, we have tried to break it down in as simple terms as possible:
- To exploit the bug you will need to have access to the machine, whether directly or via a previous infection \ malware.
- The vulnerability relates to the process of replacing something called a “keyring”. Usually, trying to replace the keyring an error will be caused, and cause a leak of a number showing the number of times the error has been triggered.
- The attackers can cause that reference number to be rolled back to 0, which has the effect of causing no keyring error to be made upon the attempt to replace it.
- By doing this, an attacker can then carry out some commands allowing root access to be given.
How to Patch the Linux Kernel Vulnerability (CVE-2016-0728)
Debian or Ubuntu Linux:
sudo apt-get update && sudo apt-get upgrade
RHEL / CentOS Linux:
sudo yum update