Fix for critical zero-day Linux vulnerability available; patch immediately

Good news for Linux system administrators. Data security training experts have announced the release of a security patch to fix an operating system kernel vulnerability that was revealed to the public in the latest edition of the Pwn2Own ethical hacking contest. Exploiting this vulnerability would have allowed threat actors to perform an escalation of privileges to root Ubuntu Desktop.

The researchers who submitted this finding were rewarded with $270k USD. In addition to reporting this flaw in Ubuntu Desktop, experts presented examples of possible attack scenarios on Windows, Safari, Oracle VirtualBox, and Adobe Reader systems.

Regarding this flaw, data security training specialists submitted an exploit to scale local privileges on the affected system. Researchers demonstrated that they were able to abuse an incorrect input validation error in the Linux kernel to scale privileges at the root user level.

“To be more specific, this flaw is due to the management of eBPF programs; the vulnerability exists due to inadequate validation in eBPF programs provided by users before being executed. A threat actor could exploit the flaw to scale privileges and execute code in the context of the core,” said Manfred Paul, one of the investigators in charge of the report.

The flaw was tracked as CVE-2020-8835 and is considered high severity, according to the Common Vulnerability Scoring System (CVSS) report. After receiving the report, kernel developers began working to correct the flaw; finally the corresponding updates have been released, as data security training specialists said. Potentially exposed system administrators are advised to update as soon as possible.

According to the International Institute of Cyber Security (IICS), Linux 5, 6, 7 and 8 systems are not affected by this failure, since the kernel version included in these versions does not support the confirmation that this condition generates. Other distributions, such as Fedora, could also be affected, so developers should pay attention to potential exploit attempts. Finally, the researchers noted that exploiting this failure could also lead to a kernel crash, triggering a denial of service (DDoS) condition. Additional technical details about the vulnerability are available on developer platforms.