Linux users are being warned of a vulnerability in versions of the kernel prior to 5.0.8 which allows for an attacker to issue a denial-of-service attack or potentially execute arbitrary code remotely.
The Linux kernel, at the heart of the operating system family which bears its name, is one of the most widespread pieces of software in history. As well as powering everything from desktops to games consoles, it can be found on routers, gateways, firewalls, and even smart home devices like lightbulbs and thermostats. A vulnerability in Linux, then, is serious business - and this latest discovery affects every version prior to the most recent 5.0.8 release.
Published as CVE-2019-11815, the vulnerability relates to a TCP socket closure function in the kernel's networking code: A race condition allows for a use-after-free attack, giving a sufficiently motivated attacker the ability to crash or hang the system or potentially even execute arbitrary code without the need for user interaction. It's a flaw serious enough for the US National Institute of Standards and Technology (NIST) to issue an 8.1 score on its impact severity ranking, though the complexity of actually exploiting the vulnerability drops its impact score down to 2.2.
Nevertheless, the flaw is a serious one - and made doubly so by the fact it has existed for such a long time and affects such a long list of kernel versions. With many products, especially in the smart home arena, being effectively sell-and-forget, there are likely to be vulnerable systems out there for years to come - and if the complexity of successful remote exploitation can be overcome, that could spell trouble.
A technical discussion of the vulnerability, and the code changes made to mitigate it in Linux 5.0.8, can be found on Kernel.org. Those able to upgrade to Linux 5.0.8 should do so now; those who cannot will have to wait for the fixes to be backported to their current kernel branch.
November 6 2020 | 17:30