Using Bleeding Edge Software can be Harmful
The title of this article might be considered somewhat of a cliche, but there are companies that still insist on operating with the absolute latest software versions as critical elements of their business operations. A local Linux kernel root exploit was disclosed via 0-day code release around Valentine's day this year, gaining attention from a number of sources and was fixed fairly quickly by most of the major distributions. Individual users who were using the specific vulnerable versions of the kernel were likely to be in the position to integrate and compile the relatively simple fix to ensure that they were protected against exploitation.
With the vulnerability only affecting a small range of kernel sub-versions that were yet to be incorporated in the most commonly used distributions, it was expected by many that there would be effectively no real-world problems where attackers would be able to exploit this issue.
As with many other assumptions, this particular one was wrong. A British business ISP, Claranet, suffered the embarrassment of having their main client hosting systems compromised by attackers utilising this particular exploit. In order to compromise the system the attackers would have needed local shell access which could have come from an already-compromised account, or even an account the attackers set up specifically to gain access with. Further anecdotal reporting suggests that Claranet was not the only firm affected by attacks based on this vulnerability, but overall the attacks were fairly limited in distribution.
Fortunately for Claranet's clients the attack was discovered quickly and the total disruption was less than 24 hours.
Why this vulnerability disclosure would not normally be much problem, despite the serious nature of the potential attack is that kernels from the 2.6.23 family are generally too new to be running in a production environment and administrators that have taken the time to set their systems up in accordance with generally accepted best practices would not rush into production a system based on a kernel that has not had the opportunity for in depth testing and securing.
What it does show is that even with a turnaround time of less than a week between public disclosure and patching (disclosure on 10 February, compromise by 12 February), it isn't going to be enough to protect critical business systems. This particular problem is exacerbated with vulnerabilities that have had public disclosure, just not the sort of high-profile public disclosure that makes end users and administrators aware that there is a problem. You might think that you are addressing known issues in a rapid manner, but it is the public problems that are known by others but not you that are going to cause you the greatest trouble.
6 March 2008
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.