A new Linux kernel flaw, similar to the one that allowed hackers to penetrate key open source development servers last year, has recently been discovered in Linux kernel 2.4.

The flaw is serious, because it can allow any user to run arbitrary code on a vulnerable system. The problem results from a flaw in the implementation of the do_mremap system call that manages virtual memory. The discoverer, Paul Starzetz of iSEC Security Research Inc., says he knows the vulnerability exists in Linux kernel versions through 2.4.23 but warns that it may also affect the new 2.6 kernel. The original report was made on BugTraq.

Another Linux kernel threat involves a problem with the real-time clock routine, which may allow kernel data to leak and become visible to local users.

The Linux community is currently in a bit of turmoil because some folks want to push users into adopting the 2.6 kernel, while others feel it isn’t ready for general deployment. Release 2.6 is designed to be more attractive to larger corporate users, specifically by better supporting servers with larger numbers of processors.

This mremap flaw is found in all Linux kernel versions through 2.4.23 and possibly also the new 2.6 kernel.

Risk level: Critical
No elevated privilege is required to initiate the attack on do_mremap because any process can initiate the mremap call. A successful exploit of this vulnerability (several of which are already known) allows an attacker to run arbitrary code on the system. The real-time clock vulnerability carries only moderate risk.

Mitigating factors
Mr. Starzetz stated in his announcement that he is unaware of any workarounds for the do_mremap vulnerability. The only mitigating factor for the real-time clock vulnerability is that it can only be exploited locally.

Fix: Patch or update
A new version of the 2.4 Linux kernel (2.4.24) was released on Jan. 5 to address the do_mremap vulnerability. Red Hat, SuSE, Guardian Digital, Turbolinux, and other vendors have also released patches for do_mremap for their Linux distributions.

Red Hat, EnGarde, and Conectiva all issued fixes for the real-time clock vulnerability on Jan. 5. Other vendors may have released fixes by the time you read this.

Final word
Marcelo Tosatti, the team leader chosen by Linus Torvalds to maintain 2.4, has stated that 2.6 is mature enough to be used, that users should migrate from 2.4, and that he intends to “fix only critical/security problems” from 2.4.25 on. The first stable release of 2.6.0 was on Dec. 18, and some developers don’t feel that it is quite ready for prime time. (Does this remind you of complaints about Windows updates?)

Also watch for…

  • Did you get a nasty-sounding e-mail from the FBI lately? “Your IP Was Logged” is how this fake message begins, but, according to The Age, it really contains malware that some people are opening, because it appears to be a notice from the feds that they have illegally downloaded software. The message looks reasonably official, except the sender obviously isn’t familiar with the concept of spell checkers. It’s simply amazing how easy it is to avoid most e-mail tricks; just seeing the poor spelling and grammar should be enough to keep you from opening most attachments. If that doesn’t do it, you should be savvy enough to wonder just why the FBI would be contacting anyone by e-mail about a criminal matter.
  • The 400 or so RIAA-filed copyright suits filed against people involved in music file sharing at the end of 2003 apparently have had a major impact. A Reuters survey reports that the number of music downloaders dropped from 35 million to 18 million in the weeks following the much-publicized suits. However you may personally feel about the cost of music, this is very good news for managers who are struggling to get and keep Kazaa and Grokster off their networks. It remains to be seen whether the decrease in usage will be reversed now that a federal court has denied the RIAA the ability to freely gather user names from ISPs.
  • Playing an MP3 file or running a streaming MP3 via HTTP can, due to a flaw in mpg321.c, allow a malicious individual to overwrite memory locations on your machine and, thereby, run arbitrary code. This applies to all Linux/UNIX systems. Debian released a patch to fix this format string flaw vulnerability on Jan. 6. Other vendors may have addressed the threat by now; so, you’ll need to check with the vendor of your Linux distribution.
  • Secunia reports that two flaws exist in the File Service Protocol (FSP Suite 2.x). One, a directory transversal vulnerability, allows attackers to view files in other directories, and the other, a highly critical buffer overflow threat, allows them to run arbitrary code on the vulnerable system. The directory traversal vulnerability responsible for the file viewing error was reported in Dec. 2003. This has been fixed in version 2.8.1b18. Secundia reports that it is unaware of any fix for the more serious threat.