The importance of keeping system patches current to ensure security cannot be overstressed, as recent vulnerabilities identified in the Linux world have shown.
Word recently broke of two serious vulnerabilities affecting Linux kernels that can cause complete loss of system control if the required patches are not applied.
The first of these vulnerabilities, discovered by researchers from Qualys, affects multiple Linux distros. Named Mutagen Astronomy, it allows an attacker to gain complete control of a targeted system through root access. This Linux vulnerability adversely impacts all current versions of Red Hat, Debian, and CentOS distributions. A vulnerability like this, given the breadth of systems it affects, is very serious.
According to Qualys’ researchers, the bug has existed in the Linux kernel for around a decade. It was introduced into the Linux kernel in July 2007, and although a mitigation for it was released in July 2017, not all Linux distributions backported the fix into their kernels and those that did not do so have remained vulnerable. As mentioned, among the distributions affected when this flaw was disclosed last week are Red Hat Enterprise Linux (RHEL) 6, 7 and Red Hat Enterprise MRG 2, as well as CentOS, which is based on RHEL and Debian 8 Jessie (oldstable).
“Most Linux distributions backported commit da029c11e6b1 to their long-term-supported kernels, but Red Hat Enterprise Linux and CentOS (and Debian 8, the current ‘oldstable’ version) have not, and are therefore vulnerable and exploitable.”
-Qualys Security Advisory
In response to this identified vulnerability, Red Hat, for example, plans to fix the issue in a future kernel update, but issued a manual workaround that will protect systems against exploitation in the meantime. The workaround needs to be reapplied after system reboots.
The second vulnerability was found by a security researcher from Google’s Project Zero. This flaw can also be exploited to achieve arbitrary code execution as root and affects all kernel versions since 3.16. The bug was reported to the Linux kernel maintainers on Sept. 12 and a patch for it was created two days later. Security researchers consider this an “exceptionally fast” patch creation time compared to the fix times required for other identified security vulnerabilities.
This identification and mitigation of this vulnerability point to a well-known problem in the Linux ecosystem that is also highlighted by the Mutagen Astronomy flaw:
When a vulnerability is patched in the upstream Linux kernel, it doesn’t automatically mean that users’ systems are protected.
In fact, it can take a significant amount of time until end-user systems receive the patch. That’s because most users employ a particular Linux distribution and rely on receiving security patches through it. These Linux distributions generally use stable kernels, including older ones, so they need to wait until the maintainers of those kernels backport the fixes.
All these delays create a window of opportunity for attackers, and sometimes – like in the Mutagen Astronomy case – patches that might not look very important for a distribution to import could turn out to have security implications years later.
We point out these recently-identified Linux kernel vulnerabilities not to denigrate Linux kernel distributions or vendors, but to emphasize something that cannot be emphasized too many times: the importance of being absolutely diligent in patching computer systems as patches/bulletins become available from vendors.
While these recently-identified vulnerabilities apply specifically to Linux systems, such vulnerabilities can and do occur with all IT systems on a regular basis.
As this example shows, patch development itself can occur at a very uneven pace in response to identified vulnerabilities, so it is very important to pay attention to ALL received security bulletins and act in accordance with them, even when patches are not immediately forthcoming.
While the immediate purpose of this blog post is to remind our customers and readers deploying Linux systems to check their systems and patch accordingly, we are also publishing it to emphasize the importance of timely, ongoing, and comprehensive system patching. Organizations who find themselves unable or unwilling to do this task can rely on IT service providers to do this for them as part of the services they provide.
Whichever way you chose to execute this essential task for your business, the important thing is that is it is DONE – regularly and without fail.
As these latest identified vulnerabilities show, even system vendors can miss essential patches and leave vulnerabilities open longer than is prudent.
Timely, rapid, and comprehensive patching is, and always will be, a perhaps mundane but absolutely essential part of maintaining a well-functioning, stable, and secure IT infrastructure for your business.