Ping of pwn: Malicious UDP packets may take over gear. A Linux kernel flaw that potentially allows miscreants to remotely control vulnerable servers, desktops, IoT gear, Android handhelds, and more, has been quietly patched.
The programming blunder – CVE-2016-10229 – opens up machines and gizmos to attacks via UDP network traffic. Any software receiving data using the system call recv() with the MSG_PEEK flag set on a vulnerable kernel opens up the box to potential hijacking. The hacker would have to craft packets to trigger a second checksum operation on the incoming information, which can lead to the execution of malicious code within the kernel, effectively as root, we’re warned.
Exploitation of this security shortcoming appears to be non-trivial, luckily. Programs from the Nginx web server and wget to the Mirai botnet code and various others set the MSG_PEEK flag on some connections, leaving the underlying machine open to attack if the kernel is vulnerable. The bug can also be potentially exploited to kick off a local privilege escalation. Kernel versions below 4.5, all the way down to 2.6, are possibly at risk.
The issue was discovered by Google’s Eric Dumazet, and quietly dealt with at the end of 2015 with a small fix applied to the open-source kernel. Linux distros, such as Ubuntu and Debian, were distributing fixed builds of the kernel by February this year. Red Hat told us its flavors of Linux were never affected.
“The code was never included in the kernel that Red Hat ships,” Red Hat spokesman John Terrill confirmed to The Reg.
Then this month, Google issued a bunch of security fixes for Android, which contained an update addressing CVE-2016-10229 in smartphones, tablets and other gear. NIST also put out an updated advisory this week, and that’s when people started taking notice. The warning explains: udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.
Those Google Android updates can be applied to Nexus gadgets. Samsung and LG have also issued patches for their handsets.
So, in short, yes, there is a remote kernel-level code execution vulnerability in Linux, which sounds like the worst of the very worst, but it is pretty much patched by now – and it appears to be tricky to exploit. It was silently addressed in the kernel source over a year ago, and fixed in updates to machines earlier this year, but only now has it come to wider attention.
If you stick to a regular update cycle, you should be OK: your devices are cured after installation of the fix and a restart. Just pray for people who don’t want to, or who can’t, install kernel-level fixes and reboot their machines – maybe because the machines are neglected home routers, or phones that can’t help security tweaks, or maybe for some other reason.