Linux gets fix for code-execution flaw that was undetected since 2009

Maintainers of the Linux kernel have patched one of the more serious security bugs to be disclosed in the open source operating system in recent months. The five-year-old code-execution hole leaves computers used in shared Web hosting services particularly vulnerable, so users and administrators should make sure systems are running updated versions that contain a fix.

The memory-corruption vulnerability, which was introduced in version 2.6.31-rc3, released no later than 2009, allows unprivileged users to crash or execute malicious code on vulnerable systems, according to the notes accompanying proof-of-concept code available here. The flaw resides in the n_tty_write function controlling the Linux pseudo tty device.

"This is the first serious privilege escalation vulnerability since the perf_events issue (CVE-2013-2049) in April 2013 that is potentially reliably exploitable, is not architecture or configuration dependent, and affects a wide range of Linux kernels (since 2.6.31)," Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars in an e-mail. "A bug this serious only comes out once every couple years." As Ars reported in May 2013, the then-two-year-old CVE-2013-2049 continued to imperil users more than a month after Linux maintainers quietly released a patch for the gaping hole.

While the vulnerability can be exploited only by someone with an existing account, the requirement may not be hard to satisfy in hosting facilities that provide shared servers, Rosenberg said. It could also come handy in multi-stage attacks that exploit a variety of bugs that, when combined, give the attacker unfettered control over a targeted system. As others have pointed out, the vulnerability also has the potential to affect Google's Android and Chrome OSes.

Linux maintainers have committed a fix here, and the patch has already been released for the Ubuntu distributions. Officials with Red Hat say Red Hat Enterprise Linux 5 is not vulnerable to the issue, but updates for Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG 2 may be released in the future. The status of Debian is here.

The availability of proof-of-concept code exploiting the flaw is a good indication that it's not hard for blackhat hackers to take advantage of organizations running vulnerable servers. Administrators and end users should ensure the systems they oversee or rely on are running up-to-date versions.

Story updated to change "unpatched" to "undetected" in the headline, add link about status of Debian.