A four-year zero-day vulnerability in the Linux kernel offers full control of tens of millions of Linux PCs and 66 percent of all Android devices, according to news reports.
Source: Perception Point
The CVE-2016-0728 flaw, introduced into the Linux kernel in version 3.8 of 2013, is caused by a leak in the OS keyring utility. This is responsible for retaining security data – authentication keys and encryption data in the kernel. By replacing a keyring object stored in memory, researchers have managed to exploit it to achieve complete root access.
On smartphones running Android KitKat and higher, the vulnerability can allow a malicious app to escape the security sandbox and gain control of underlying OS functions. It can also be exploited on devices and appliances running embedded versions of Linux.
And that is serious. Linux is used in the vast majority of systems used for Internet, mobile, embedded systems and the Internet of Things, and powers nearly all of the world’s supercomputers. Once an attacker is able to exploit this vulnerability, he can delete files, view private information, and install unwanted programs, including malware.
Existing security protections for many servers make exploits harder to implement, but there are still ways to bypass them.
“While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible,” said researchers at Perception Point.
A patch for the vulnerability “should already be in preparation for Linux distributions,” according to a statement published on Linux.com.