Kernel flaw makes Linux crash easily
Linux developers and vendors have released patches to correct the flaw
TechWorld.com - A flaw in the Linux kernel allows a 20-line C program to crash most distributions using the 2.4 and 2.6 kernels running on x86 and x86-64 architectures, according to security researchers.
The problem means that anyone with an ordinary user account on a Linux machine can crash the entire server, according to Oyvind Saether, who discovered the bug along with Stian Skjelstad. Administrator access isn't required.
"Using this exploit to crash Linux systems requires the (ab)user to have shell access or other means of uploading and running the program (like cgi-bin and FTP access)," Saether wrote in an advisory on Friday. "This exploit has been reportedly used to take down several lame free-shell providers' servers."
Linux developers released a kernel patch to coincide with the advisory, available on Kernel.org. Major Linux vendors have also begun releasing their own versions of the fix, including Red Hat Inc.'s Fedora Project and Gentoo Linux.
The most recent updates to the Linux kernel, to be available in Version 2.6.7, fix the problem, according to Linus Torvalds. The new version is expected to be available today.
The bug is in the way the kernel handles floating point exceptions, developers said. While it is serious, two factors limit the danger: It can be exploited only by someone with a valid user account, and it doesn't allow the attacker to gain control of the system.
As Linux continues to grow in popularity and gain market share, security researchers and potential attackers are increasing their scrutiny of the operating system's underlying code, and as a result, more problems are inevitably coming to light, say industry observers.
Microsoft Corp. has attempted to exploit this trend by presenting open-source vendors' security efforts in an unfavorable light. This effort has been assisted by research such as Forrester Research Inc.'s controversial "days of risk" study, which concluded that Linux vendors had on average taken longer than Microsoft to release patches -- a conclusion hotly disputed by Linux companies.
Recently, Linux vendors were forced to distribute patches for a critical flaw in CVS, a widely used program for collaborating on software development, that could have allowed a malicious user to gain unauthorized access to development code. The flaw, found by E-Matters GmbH, allows a user to exploit a "heap overflow" that could make it possible to execute arbitrary code on the CVS server, according to Stefan Esser, chief security and technology officer at E-Matters.
Following the discovery of this bug, researchers decided to have a closer look at the CVS source code and discovered at least six more flaws, including one thatcould allow an attacker to take control of CVS from the Internet. The new flaws were announced publicly last Wednesday, and several distributors have since released fixes.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Linux and Unix White Papers | Webcasts