A new “exploit” has been revealed for Linux systems running kernel 2.6.30 and 2.6.30.1. I put that in quotes for several reasons. First, those versions of the kernel haven’t been rolled out to the stable releases of any major Linux distribution. So systems running the latest kernel from their distribution aren’t at risk. Second, the proof-of-concept exploit code that’s been released doesn’t work remotely. So you need to have physical access to the system. And as anyone with any security experience will tell you, physical access trumps almost all other issues when it comes to attacking a system.
Finally, this attack isn’t really a kernel vulnerability, in the normal sense of the word. The compiler helpfully optimizes away a specific null pointer check, which leads to an exploitable situation. Linux’s benevolent dictator, Linus Torvalds, doesn’t think this is a valid kernel exploit:
He’s running a setuid program that allows the user to specify its own modules. And then you people are surprised he gets local root?
I have to agree with Torvalds on this one: with a setuid binary like that it’s not very surprising that privilege escalation can occur. It requires a lot of hoop-jumping to pull this specific exploit off, too. The cost of the attack probably doesn’t match the benefits from a successful compromise in most situations.
Somewhat ironically, this exploit is opened if you’ve enabled SELinux, the enhanced security component of modern Linux distributions. I haven’t taken the time to learn how to write SELinux policies correctly, so I always disable it when I install a Red Hat Enterprise Linux system. The vulnerability is also opened if you’re using PulseAudio, which Ubuntu is using these days.
Via El Reg.