Linux kernel vulnerability behind Debian attack

IDG News Service - A serious vulnerability in the Linux 2.4 kernel that allows users on a Linux machine to gain unlimited access privileges has been discovered, according to a security advisory posted by developers of the noncommercial Debian Linux distribution.
The bug affects versions of the Linux kernel prior to Version 2.4.23, and it was used during a recent attack on Debian's servers, according to the advisory. In that attack, four Linux servers that hosted Debian's bug-tracking system, mailing lists and various Web pages were compromised (see story).
The vulnerability can be exploited only by someone who has already been given a user account on the Linux machine, and it doesn't affect users of every Linux system, said Linux creator Linus Torvalds in an e-mail interview. "It's a local-only compromise that you can't trigger from the outside," he said. "To most people, it would thus become serious only after you had some account hacked into -- the bug then allows elevation of privileges."
The bug doesn't affect Debian users only, however. Any Linux user running a version of the kernel prior to 2.4.23 should contact the distribution provider to see whether a patch for the exploit has been made available, Torvalds said.
The problem was discovered by Linux kernel developer Andrew Morton in September and was fixed in Version 2.4.23 of the kernel, but Linux distributors had been working to coordinate a release of a fix for the problem, said Dave Wreski, CEO of Guardian Digital Inc., the vendor of a secure Linux distribution.
"What all the hoopla is about is that Debian somehow let this patch that's been available for a month or two slip and got bitten by it," Wreski said.
As of yesterday, patches that corrected the kernel bug had been issued for a number of Linux distributions, including Red Hat, Debian and Mandrake Linux.