Linux Kernel Zero Day Vulnerability CVE-2016-0728

This vulnerability has existed since 2012 and it affects Android and Linux systems running Linux Kernel version 3.8+, and Linux server or desktop running kernel 3.8+ is vulnerable.

As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets).

How do I fix this?

First some background on what the CVE-2016-0728 bug is. From the Perception Point Research Team

CVE-2016-0728 is caused by a reference leak in the keyrings facility. Before we dive into the details, let’s cover some background required to understand the bug. It can successfully escalates privileges from a local user to root.

The function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.

Each process can create a keyring for the current session using keyctl(KEYCTL_JOIN_SESSION_KEYRING, name) and can choose to either assign a name to the keyring or not by passing NULL. The keyring object can be shared between processes by referencing the same keyring name. If a process already has a session keyring, this same system call will replace its keyring with a new one. If an object is shared between processes, the object’s internal refcount, stored in a field called usage, is incremented. The leak occurs when a process tries to replace its current session keyring with the very same one. As we see in the next code snippet, taken from kernel version 3.18, the execution jumps to error2 label which skips the call to key_put and leaks the reference that was increased by find_keyring_by_name.

The vulnerability affects any Linux Kernel version 3.8 and higher. SMEP & SMAP will make it difficult to exploit as well as SELinux on android devices. Maybe we’ll talk about tricks to bypass those mitigation in upcoming blogs, anyway the most important thing for now is to patch it as soon as you can.

The following Distros are known to be affected:

  • Red Hat Enterprise Linux 7
  • CentOS Linux 7
  • Scientific Linux 7
  • Debian Linux stable 8.x (jessie)
  • Debian Linux testing 9.x (stretch)
  • SUSE Linux Enterprise Desktop 12
  • SUSE Linux Enterprise Desktop 12 SP1
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Workstation Extension 12
  • SUSE Linux Enterprise Workstation Extension 12 SP1
  • Ubuntu Linux 14.04 LTS (Trusty Tahr)
  • Ubuntu Linux 15.04 (Vivid Vervet)
  • Ubuntu Linux 15.10 (Wily Werewolf)
  • Opensuse Linux LEAP 42.x and version 13.x
  • Oracle Linux 7

Open a Terminal

ctrl alt t

Fully update your system

Check your current Kernel Version

You need to reboot the box. Before you apply patch, note down your current kernel version, get it by typing the following command:

uname -r
uname -mrs

Debian / Ubuntu

sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
sudo reboot

RHEL / CentOS Linux

sudo yum update
sudo reboot

Suse Enterprise Linux or Opensuse Linux

zypper patch && reboot

If you want to upgrade


Share your thoughts

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s