Made of Bugs

It's software. It's made of bugs.

A brief look at Linux's security record

After the fuss of the last two weeks because of CVE-2010-3081 and CVE-2010-3301, I decided to take a look at a handful of the high-profile privilege escalation vulnerabilities in Linux from the last few years.

So, here's a summary of the ones I picked out. There are also a large number of smaller ones, like an AF\_CAN exploit, or the l2cap overflow in the Bluetooth subsystem, that didn't get as much publicity, because they were found more quickly or didn't affect as many default configurations.

CVE name Nickname Introduced Fixed Notes
CVE-2006-2451 prctl 2.6.13
CVE-2007-4573 ptrace 2.4.x 64-bit only
CVE-2008-0009 vmsplice (1) 2.6.22
CVE-2008-0600 vmsplice (2) 2.6.17
CVE-2009-2692 sock_sendpage 2.4.x 2.6.31 mmap_min_addr 1 helped.
CVE-2010-3081 compat_alloc_user_space 2.6.262 2.6.36
CVE-2010-3301 ptrace (redux) 2.6.27 2.6.36 64-bit only

I'll probably have some more to say about these bugs in the future, but here's a few thoughts:

  • At least two of these bugs existed since the 2.4 days. So no matter what kernel you've been running, you had privilege escalation bugs you didn't know about for as long as you were running that kernel. We don't know whether or not the blackhats knew about them, but are you feeling lucky?
  • I bet there are at least a few more privesc bugs dating back to 2.4 we haven't found yet.
  • If you run a Linux machine with untrusted local users, or with services that are at risk of being compromised (e.g. your favorite shitty PHP webapp), you'd better have a story for how you're dealing with these bugs. Including the fact that some of these were privately known for years before they were announced.
  • It's not clear from this sample that the kernel is getting more secure over time. I suspect we're getting better at finding bugs, particularly now that companies like Google are paying researchers to audit the kernel, but it's not obvious we're getting better at not introducing them in the first place. Certainly CVE-2010-3301 is pretty embarrassing, being a reintroduction of a bug that had been fixed seven months previously.

  1. mmap_min_addr mitigated this bug to a DoS, but several bugs that allowed attackers to get around that restriction were announced at the same time. ↩︎

  2. The public exploit relies on a call path introduced in 2.6.26, but observers have pointed out the possibility of exploit vectors affecting older kernels. ↩︎