Serious Linux Kernel security hole

Opened Lock image by <A HREF=

Linux has security problems like any other operating system. Most of them aren't that big a deal though. Many of the more serious ones require local user access to cause any real trouble, and except for Linux desktop users that's not a real concern. The latest Linux security problem with Reliable Datagram Sockets (RDS) though is a real problem.

RDS is an Oracle creation. It's used for sending multiple messages from a single network socket to multiple end-points. The point of RDS is that you can use it to keep inter-process communication (IPC) going without timeouts when a system is running under very heavy loads. Thus, you're most likely to be using RDS if you're running a mission-critical DBMS server or a Linux, Apache, MySQL, PHP/Python/Perl (LAMP) stack application.

VSR Security, the company that found the security hole, reports that Linux kernel, starting from 2.6.30, which was the first to include RDS, could be attacked in by almost any user in a way that would let them become the super-user, aka root. In short, someone coming in over an Internet connection could, in theory, take over a Linux server. This is Not good.

The core problem was that the "kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, [thus] a local attacker could issue specially crafted socket function calls to write arbitrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root."

I don't know if it will do that, but I was able to use the exploit code to knock out a SUSE Linux server in my lab remotely. Let me repeat myself: Not good. Others have reported that they've been able to use the exploit code to open up a root shell on Ubuntu 10.04.

For the problem to hit your system you have to have RDS on. Specifically, you have to have the CONFIG_RDS kernel configuration option set. That's usually an option in most distributions rather than a default. Of course, if you really need RDS, you're probably running it on a mission critical DBMS or Web server. That's the last place you want an attack to land. The other necessary condition for an attacker to get at your server is for there to be no restrictions on unprivileged users loading packet family modules. That, I regret to say, is the default on many distributions.

Fortunately, unlike some other operating systems I could name, security holes tend to get fixed really quick in Linux. Linus Torvalds has already issued a fix. You can either compile a new kernel with this fix, which few people do these days, or wait for your up-stream Linux distributor to issue the fix.

In the meantime, I recommend if you're running a Linux server, and you're using RDP, that you log in as root and run the following command:

echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds

Your server may run slower until the final fix is in, but in the meantime you'll be safe and that's the most important thing.

6 tips for scaling up team collaboration tools
Shop Tech Products at Amazon