nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Patch alert! Easy-to-exploit flaw in Linux kernel rated 'high risk'

Silver badge
Trollface

Let the games begin...

I look forward to intelligent discourse re the pros and cons of one OS over another now....

34
2
Anonymous Coward

Re: Let the games begin...

I'm not worried I run Amiga OS on all my servers.

43
0
Silver badge

"I look forward to intelligent discourse re..."

Yes indeed, and also Carter advising how this problem occurred...

4
0
Pint

Re: Let the games begin...

BSD on an Amiga 2000 with Blizzard 2060 FTW :)

(Or the native Apache and PHP builds from Aminet. Whichever.)

2
0

Re: Let the games begin...

I'll stick with Linux. Rest of you go to windoze!

4
11
Anonymous Coward

Re: Let the games begin...

PHP = instant security fail.

2
2

Yeah but

who needs to exploit kernel-based vulnerabilities these days? Just exploit systemd vulnerabilities instead! :D

44
1
Silver badge

Re: Yeah but

And for the "reboot" part as well, since patching systemd would also require a reboot. systemd, bringing Linux to the WindowsME security level !

22
1
Silver badge

Re: Yeah but

Not so fast. Shirley if you run systemd, you get the additional protection of its built in ASLR and antivirus packages.

6
3
Silver badge

Re: Yeah but

I misread that as ASMR.

Though, if I'm honest, I wouldn't be surprised if systemd had a "module" that whispered gently in your ear to send you to sleep at night.

1
1
Anonymous Coward

"An unprivileged local user"

local user -> game over

11
11
Anonymous Coward

Re: "An unprivileged local user"

I'm not so sure , if the drives encrypted so user is confined to fighting from within the OS , you could maybe lock it down enough to stop them breaking it.

If the drives not encrypted , boot from somthing else = pwnd

1
9

Re: "An unprivileged local user"

They don't mean physically local I believe, you can pull this off just as easily on a vps.

Just a non-privileged user.

14
1
Silver badge

Re: "An unprivileged local user"

"They don't mean physically local I believe"

From the article:

"The vulnerability is nasty but it'd be a whole lot worse if it were to lend itself to being remotely triggered, like ShellShock and its ilk. This flaw does not fall into that category, fortunately."

That suggests a physically present attacker. I guess someone on a RAT or something might be able to make use as well, though tbh if someone has a RAT on your machine already then he might as well be in the room with you anyway.

4
17

Re: "An unprivileged local user"

I'm fairly sure a local user is just someone with a user account on the machine. It doesn't matter where they are. "remotely triggered" means triggered remotely by anyone with a network route to the machine over some network protocol (e.g. HTTP or FTP) with or without a user account on the machine.

29
0
Anonymous Coward

Re: "An unprivileged local user"

If I read this correctly you need a user account on the machine. Which means it should be fairly difficult for some unknown person to get in... unless they're exploiting another problem or lax area of security.

Then, if I read this correctly, they need to have access to a SUID script... something most people don't allow. Only then can they trigger this "exploit", so I don't think it's exactly an "open goal" .... unless I've misunderstood.

Having said that I'll make sure I'm patched :-)

8
0
Silver badge

Re: "An unprivileged local user"

local user -> game over

Not in theory (well away from windows anyway) - although throwing SUID into the mix...

2
1
Anonymous Coward

Re: "An unprivileged local user"

Clearly a lower class Brit would only count as an "Unprivelaged Local User" if the computer were in Britain. A middle-class Australian sitting directly in front of the machine would - of course - not pose a security risk.

1
0
Silver badge

Please...

...the next time a Linux fanboy pops up and moans that Windows need a reboot after patching, can we smack this article around their head.

Yes it may need it more (often it doesn't these days), but some fanboys insist Linux NEVER needs to be.

No one on here of course.

18
41

Re: Please...

There are several services that allow you to patch a running kernel. I use KernelCare myself and that's patched all the known vulnerabilities on systems that have been running for over a year.

I believe Ubuntu and other vendors provide similar services.

9
3

Re: Please...

So, you like company in your misery.

Well, if it makes you feel better.

5
2
Anonymous Coward

Re: Please...

>Please......the next time a Linux fanboy pops up and moans that Windows need a reboot

That's reboot singular, the last W10 update I had required 2 and 25 mins of thumb twiddling. Defending W10 update is like trying to defend Ted Bundy, give up he's going to the chair.

17
4
Anonymous Coward

Re: Please...

I know, right? Another day, another Linux exploit...

2
4
Silver badge

Re: Please...

> and moans that Windows need a reboot after patching,

While Windows does need a reboot after an update that replaces or patches the kernel, it also needs a reboot because Windows cannot delete or replace a file that is open due to the way the file system is designed. As many library files are open on a running system then it almost always needs a reboot so that files can be deleted and replaced during start up and before they are opened.

Unix like systems using an inode file system can delete and replace files that are open because the file name is not directly linked to the data blocks but is done through the inode. An open file can continue to use the original inode while the update creates a new inode with its own set of data blocks and the file name is linked to the new inode. The old inode and its data is deleted when all processes have closed the old inode.

This means that the vast majority of updates do not require a reboot. Some systems will do in-flight kernel patching that also does not require a reboot.

5
0
Silver badge
Meh

Re: Please...

<sigh> The difference is that it seems like *every* Windows patch session requires a laborious install, then a reboot, then another laborious bootup while it's "Getting things ready." or whatever it's doing, as it certainly doesn't share that information with you, then perhaps yet another reboot if the Windows kernel is being replaced.

At least with Linux, 95% of the updates are speedy, verbose if you want them to be, and do not require a reboot. My only complaint with Linux kernel updates is that after the reboot you often have to struggle with your graphics drivers no longer working, at least if you use a proprietary driver and not the underachieving ones included with Linux. But IMHO, the overall pain is far less than what MS gives you.

1
0
Silver badge
Linux

Re: But IMHO, the overall pain is far less than what MS gives you.

Ah, yes, that irritating

Configuring Windows Updates, do not turn off your computer

time sink of 5 or more minutes

reboot

Configuring Windows Updates

time sink of 5 or more minutes

desktop shows up, circle of death spinning as Windows tries to 'get its act together'

click on a shortcut to a program, circle of death starts spinning, nothing happens

click again, another circle of death, and finally, two instances of the program appear

Boss screaming about me fucking off, but I can't do shit until Windows gets its act together

And, people wonder why I abandoned personally Windows more than 10 years ago? Until I retired, I still had to content with that piece of shit O/S at work.

2
1
Silver badge
Happy

Patched

Now, next question?

14
1
Linux

re-booting

@Lost

Most Linux users have used Windows, or are familiar with it.

We all have seen "Windows needs to be re-started ... "

As a MS fanboy you may claim Windows is the best at everything, but not this. :)

17
5
Silver badge

I knew I should have ...

... stuck with a.out

Now GET COFF MY LAWN!

14
1

Easy solution

I run MSDOS, there hasn't been any major (or minor) security patches released for years!

13
0
Silver badge

Re: Easy solution

I run MSDOS, there hasn't been any major (or minor) security patches released for years!

Here - can you just check this floppy disk for me please? I want to check that the FORM virus is still on it..

2
0
Bronze badge
Linux

Is that recipe Open Sauce?

The article was accompanied by a photograph from an unknown source, showing what looks like little tuxes, or maybe just black olives without kernels. .

6
0
Silver badge

Re: Is that recipe Open Sauce?

Made of olives (with pips removed), carrots, goats cheese.

Recipee:

1. Peel carrots, cut them in discs, cut out a segment to be used as beak.

2. Cut half the olives side-ways, stuff with goat's cheese

3. Place the beaks in the other half of the olives, using the opening created when the pip was removed.

4. Place carrot discs, goat-cheese-stuffed olives, carrot stuffed olives above one-another and use a toothpick to attach.

5. Serve with a St Emilion Grand Cru [Classé]

Exactly what I will bring to work next time the guyz from Accenture show their backsides 'round 'ere ...

2
1
Boffin

Apparently there is a workaround for high uptime systems:

sysctl -w vm.legacy_va_layout=1

No need for emergency patch / reboot; this stops the attack cold until you can reboot in a more scheduled manner.

From https://access.redhat.com/security/cve/cve-2017-1000253

7
0
Gold badge
Coat

Fortunately only superior *nix coders can cause this sort of mayhem.

A sort of ELF Lord as it were.

7
0
Silver badge

Re: Fortunately only superior *nix coders can cause this sort of mayhem.

A sort of ELF Lord as it were.

I'm sure that they can ork out all the issues. After all, they are dwarfed by the massive advantages.

3
0
Silver badge

"Just run your usual package management tools to install the patched kernels and reboot."

I guess some, maybe even most, can make this work. But for me this will involve desperately trying to create more space on /boot (not my decision to make it tiny, it's what the installer did by default, although in fairness to the installer vmlinux and friends are a lot bigger now than they were when it was written).

Then it'll involve messing around in a 800x600 window trying to figure out what spell it takes to make the graphics work at proper resolution. I have to do this for every new kernel yet somehow can never remember what variables and symlinks need to be in place to get the driver to rebuild.

1
0
Silver badge

/boot too small

Just live boot from a distro that understands your FS and re-partition.

6
0
Silver badge

A 800x600 window? Luxury! My mythtv box has the same res (hey, analog TV-out...), but I have to additionally remember NOT to switch off the machine when it hangs at every kernel update, because after 40 (yes, FOURTY) minutes it will actually realize I have no FDD then un-hang itself and proceed booting, and that's the only way it will ever boot again...

0
0
Silver badge
Facepalm

Poor show

FAO Linus, go in shame and take your shareware OS with you!

3
22
Bronze badge
Thumb Up

Re: Poor show

Linus has been blasting kernel devs for poor coding for years, he obv just missed one.

BTW in the cloudy world, why reboot, just spin up new server with updated kernel, tear down vulnberable one...

1
2
Silver badge

J J Carter in new comment shocker...

Not much of an improvement in troll value however. 2/10 Must try harder.

1
1
Silver badge
WTF?

Re: J J Carter in new comment shocker...

Perhaps JJ Carter is the present day Loverock Davidson???

2
1
Silver badge

requires reboot

... Ok, someone's taking "year of Linux on the desktop" too literally.

3
0
Anonymous Coward

"kinda" is not a real word.

It's "_an_ SUID ..."

0
1
Silver badge

That's OK.

ACs are not real commentards.

3
3
Anonymous Coward

Dear fanboys of any OS

You do nobody any favours by touting one over the other. Blind devotion to one OS over another is pointless, they are tools. By all means have a favourite but choose the tool for the job and always keep your eye on competitors.

Many of us will favour Linux, others Windows but one thing I think we can all agree on is that they both need work and neither is perfect.

8
0

Re: Dear fanboys of any OS

What a pointless and vapid comment!

You do do favours by touting one over the other and the obvious one to tout is Linux. Other readers may start to understand why people care about the differences if they are identified and detailed!

1
9
Bronze badge

Re: Dear fanboys of any OS

"What a pointless and vapid comment!

You do do favours by touting one over the other and the obvious one to tout is Linux. Other readers may start to understand why people care about the differences if they are identified and detailed!"

What a pointless and vapid comment - just what Id expect from a blinkered penguinista

Each has their place and until the penguins (SOME - NOT ALL) start acting like grown ups it will never see the light of day as the year of Linux on the desktop.

fully expect adavanced muppetry in reply.

3
4

Re: Dear fanboys of any OS

no Kermit vuln would be exploited by anyone other than an Animal! Just keep a Sam Eagle eye out and hold out your patch Beaker before Crazy Harry takes it to Penguins.

If Windows is Gonzo win the OS war then I for one will jump off Clifford. Bobo Bear with me for a second, I can hear Miss Piggy automating some virtual machines now with the Swedish Chef - ha, what about Puppet?

Flame wars, keep away from the non fire retardant entertainment systems, Statler and Waldorf would laugh at such a pointless and vapid argument

0
2

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing