New Zero-Day Flaw Hits Millions Of Linux Servers

Discussion in 'HardForum Tech News' started by HardOCP News, Jan 20, 2016.

  1. HardOCP News

    HardOCP News [H] News

    Messages:
    0
    Joined:
    Dec 31, 1969
    All you alternative OS types out there should read this. Android users should probably pay attention too. :(

    A new, previously undiscovered flaw that allows an attacker to escalate local user privileges to the highest "root" level is said to hit "tens of millions" of Linux PCs and servers. Because some of the code is shared, the zero-day flaw also affects more than two-thirds of all Android devices.
     
  2. drescherjm

    drescherjm [H]ardForum Junkie

    Messages:
    14,475
    Joined:
    Nov 19, 2008
    I just started installing the patched kernels.
     
  3. Tuxon86

    Tuxon86 Limp Gawd

    Messages:
    198
    Joined:
    Oct 19, 2012
    bu-bu-bu-but, Linux...
     
  4. heatlesssun

    heatlesssun [H]ard as it Gets

    Messages:
    44,157
    Joined:
    Nov 5, 2005
    All non-trivial software has bugs. Period. One can debate the number and severity between various systems but this is just CS 101.
     
  5. Devilpup

    Devilpup [H]ard|Gawd

    Messages:
    2,047
    Joined:
    Sep 4, 2002
    Read somewhere that to exploit someone would need access to a local account on the machine, which means you probably already failed anyway. Also, if you go to the actual Github page with the POC there are a lot of comments from people who are saying the best they see on a desktop is a terminal but without any special privileges.

    But hey, something to cause panic makes a good headline right?
     
  6. jj14

    jj14 [H]Lite

    Messages:
    105
    Joined:
    Jan 6, 2016
    Im sure all software has bugs. Its how fast the companies patch it that is the main issue
     
  7. alxlwson

    alxlwson You Know Where I Live

    Messages:
    6,259
    Joined:
    Aug 25, 2013
    But, I thought Linux didn't have security issues because open source and stuff?
     
  8. bisby

    bisby [H]Lite

    Messages:
    110
    Joined:
    Aug 28, 2007
    No linux user claims that and if they do they are stupid. At best its MORE secure because of "open source and stuff" and this is a perfect example of that. Someone found an issue, a fix was made and deployed.

    That's the definition of how open source works.

    Contrast that with Windows. if a security issue is found we dont know the exact code that causes the problem, so the best you can do is contact Microsoft with the issue (not with a patch/fix), and then wait for them to issue the fix. And then, you can never be sure that they issued a general fix that addressed the issue, or simply pulled a Volkswagon and "fixed" the issue by hiding from your testing.

    And if your distro is slow to patch things, you can patch it yourself. Admittedly this is a last resort thing, but it's better than the alternative. Do you think there are any reported bugs in Windows/OSX that are just ignored and never fixed? Do you have any way to resolve that yourself?

    tl;dr - Linux isn't just magically secure because open source, it's secure because people find flaws and resolve them.
     
  9. nilepez

    nilepez [H]ardForum Junkie

    Messages:
    11,464
    Joined:
    Jan 21, 2005
    You and I know that, but sometimes it seems like certain *nix users (as well as OS X users) don't (or didn't).

    The first major attack that I remember was on *nix, in the mid 90s, which took down much of the backbone. Can't remember what the attack was, but it was an exploit that had been patched long before the attack.
     
  10. alxlwson

    alxlwson You Know Where I Live

    Messages:
    6,259
    Joined:
    Aug 25, 2013
    Yes. I was sarcasming ;)
     
  11. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,425
    Joined:
    Oct 29, 2000
    Exactly, and in the case of Linux, this is already patched by the time I read the article as opposed to waiting until next patch Tuesday (Microsoft) or next major OS release in 9 months (Apple)...

    The tricky part will be Android devices, as we know, oems and carriers are not exactly religious about providing updates on their phones...
     
  12. heatlesssun

    heatlesssun [H]ard as it Gets

    Messages:
    44,157
    Joined:
    Nov 5, 2005
    The first widespread virus attack I remember was in the late 80s I believe, it was Unix based, that's really all there was at the time especially networked, Windows was pretty minor at the time. And yeah, that's one thing that often get missed as well. One of the most devastating Windows attacks of all time, Code Red, had been patched months prior. Zero days are obviously really bad but the vast majority of malware leverages bugs and issues that have been fixed.
     
  13. B00nie

    B00nie [H]ardness Supreme

    Messages:
    7,952
    Joined:
    Nov 1, 2012
    Lol most android phone owners never get a single update to their phone. They're left on the dry.
     
  14. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,425
    Joined:
    Oct 29, 2000
    Which is why the Windows 10 mandatory updates makes sense...

    ...as long as those updates aren't abused by Microsoft to shove "features" people don't want down their throats...

    If I designed an OS, I would design it suh that once a new security exploit was discovered, the network would only allow contact with the update server, until installed and resolved, preventing its further spread.
     
  15. heatlesssun

    heatlesssun [H]ard as it Gets

    Messages:
    44,157
    Joined:
    Nov 5, 2005
    Microsoft will release out of band patches from time to time. You are supposed to test these things. I guess this was an issue that was easy to fix but it's not been fully tested if was just discovered and fixed.
     
  16. Ur_Mom

    Ur_Mom I'm Not Serious

    Messages:
    19,787
    Joined:
    May 15, 2006
    NAP, Network Access Protection, can do that. It's optional on your network, but it's Windows based (there is probably a *nix version), and if your AV is not up to date, or a patch is missing, you're only able to reach a specified area - updates, etc..

    Linux flaws are nothing new. They get patched very quickly.
     
  17. heatlesssun

    heatlesssun [H]ard as it Gets

    Messages:
    44,157
    Joined:
    Nov 5, 2005
    They do. But the bigger issue really is with deployment.
     
  18. amddragonpc

    amddragonpc [H]ard|Gawd

    Messages:
    1,996
    Joined:
    Sep 20, 2012
  19. Red Falcon

    Red Falcon [H]ardForum Junkie

    Messages:
    9,974
    Joined:
    May 7, 2007
    This is true, but that's why we like GNU/Linux so much.
    GNU's Not Unix ;)
     
  20. Stoly

    Stoly [H]ardness Supreme

    Messages:
    6,348
    Joined:
    Jul 26, 2005
    tens of millions? :D:D
     
  21. drescherjm

    drescherjm [H]ardForum Junkie

    Messages:
    14,475
    Joined:
    Nov 19, 2008
    Lots of installed servers will be using older kernels. That is why the number is so low.
     
  22. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,425
    Joined:
    Oct 29, 2000
    3.8 (where the problem was introduced) is pretty old now though.

    I can't speak to other distributions as I don't use them, but for Ubuntu let's assume that servers are running LTS releases.

    The next LTS release will be 16.04, Xenial Xerus in April, and will ship with the 4.4 Kernel

    The current LTS release is 14.04 Trusty Tahr, which shipped with 3.13, but has since been updated to 3.16 through the enablement stack.

    If we go all the way back to 12.04, the previous LTS (and oldest version still supported) it shipped with the 3.2 Kernel, but has since been updated to 3.13 through the enablement stack.

    In other words, you need to either be running a really old, unsupported distribution, or not be keeping up with your updates in order to have a pre 3.8 Kernel on your server...
     
  23. rat

    rat [H]ardness Supreme

    Messages:
    4,915
    Joined:
    Apr 16, 2008
    i got an update to this within minutes of seeing this headline. Nobody said Linux was immune... just that things get fixed FAST.

    Apple often waits months before patching serious zero days.
     
  24. drescherjm

    drescherjm [H]ardForum Junkie

    Messages:
    14,475
    Joined:
    Nov 19, 2008
    I was also thinking of all the ARM devices out there that have even older kernels. I know my router uses a 2.6 kernel and so does my cable modem.
     
  25. GaryJohnson

    GaryJohnson [H]ard|Gawd

    Messages:
    1,053
    Joined:
    Feb 1, 2010
    That's the problem then isn't it? The software ought to be trivial.
     
  26. heatlesssun

    heatlesssun [H]ard as it Gets

    Messages:
    44,157
    Joined:
    Nov 5, 2005
    LOL! But indeed that is the problem. Complexity leads to errors.
     
  27. nilepez

    nilepez [H]ardForum Junkie

    Messages:
    11,464
    Joined:
    Jan 21, 2005
    All programs should be hello world programs
     
  28. GaryJohnson

    GaryJohnson [H]ard|Gawd

    Messages:
    1,053
    Joined:
    Feb 1, 2010
  29. heatlesssun

    heatlesssun [H]ard as it Gets

    Messages:
    44,157
    Joined:
    Nov 5, 2005
    Managing complexity is a key issue in all non-trivial systems. The more complexity a system can manage, the more it can do. But at some point you have to figure that the only way to build more complex systems is with AI. The programs will write themselves. And I guess that's when Skynet takes over.
     
  30. Vermillion

    Vermillion [H]ardness Supreme

    Messages:
    4,096
    Joined:
    Apr 5, 2007
  31. Exavior

    Exavior [H]ardForum Junkie

    Messages:
    9,657
    Joined:
    Dec 13, 2005
    "The flaw, said to date back to 2012" So only 4 years. Not bad
     
  32. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,425
    Joined:
    Oct 29, 2000
    2.6 Kernel is unaffected.

    If you read the article, it says the issue was introduced with the 3.8 Kernel.
     
  33. lord_emperor

    lord_emperor Limp Gawd

    Messages:
    487
    Joined:
    Feb 1, 2003
    Well...

    ... the same day the issue was published. So, that's pretty good I think.
     
  34. nilepez

    nilepez [H]ardForum Junkie

    Messages:
    11,464
    Joined:
    Jan 21, 2005
    Of course if this affects servers, it'll probably take admins forever to apply it ;)