Three new Linux kernel vulnerabilities have been uncovered by security researchers which could potentially be exploited by hackers to cause Linux systems to crash or to enable hackers to remotely run arbitrary code.
While older versions of Linux contain numerous flaws, one of the new Linux kernel vulnerabilities affects the most recent versions of Linux including Fedora, Red Hat Enterprise Linux (RHEL) 7, and Ubuntu.
CVE-2016-8655, which was discovered by security researcher Philip Pettersson, is a race condition bug in packet_set_ring that could be exploited on systems where unprivileged namespaces are enabled. A race condition is a situation where the system attempts to perform two or more operations at the same time.
The vulnerability could be exploited even when Supervisor Mode Access Prevention (SMAP) and Supervisor Mode Execution Protection (SMEP) have been implemented.
Pettersson says, “My exploit defeats SMEP/SMAP and will give a rootshell on Ubuntu 16.04.” He also explained in a recent blog post, “I found the bug by reading code paths that have been opened up by the emergence of unprivileged namespaces, something I think should be off by default in all Linux distributions given its history of security vulnerabilities.”
CVE-2016-6828 could also allow an attacker to run arbitrary code or crash the attacked system, although this vulnerability is harder to exploit than CVE-2016-8655. CVE-2016-6828 is a use after free vulnerability which was discovered in the tcp_xmit_retransmit_queue and other tcp_* functions. The vulnerability could allow an attacker to send an incorrect selective acknowledgment to existing connections. This could possibly allow the attacker to reset a connection.
CVE-2016-6480 can also be used to trigger a race condition, which can cause the attacked system to crash. However, this bug could not be exploited to allow an attacker to run arbitrary code. The bug is a race condition in the octl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel. The bug would allow local users to cause a denial of service crash by changing a certain size value.
All three of the new Linux kernel vulnerabilities have now been patched. Linux administrators should ensure their systems are patched promptly to prevent these vulnerabilities from being exploited.