Linux kernel vulnerability behind Debian attack
A serious vulnerability in the Linux 2.4 kernel that allows users on a Linux machine to gain unlimited access privileges has been discovered, according to a security advisory posted by developers of the noncommercial Debian Linux distribution.
The bug affects versions of the Linux kernel prior to 2.4.23, and was the method used during a recent attack on Debian's servers, according to the advisory. In that attack four Linux servers that hosted Debian's bug tracking system, mailing lists and various Web pages were compromised.
The vulnerability can only be exploited by someone who has already been given a user account on the Linux machine, and does not affect users of every Linux system, said Linux creator Linus Torvalds in an e-mail interview. "It's a local-only compromise that you can't trigger from the outside," he said. "To most people, it would thus become serious only after you had some account hacked into -- the bug then allows elevation of privileges."
The bug does not only affect Debian users, however. Any Linux user running a version of the kernel prior to 2.4.23 should contact their distribution provider to see whether a patch for the exploit has been made available, Torvalds said.
The problem was discovered by Linux kernel developer Andrew Morton in September, and was fixed in the 2.4.23 version of the kernel, but Linux distributors had been working to coordinate a release of a fix for the problem, said Dave Wreski, chief executive officer with Guardian Digital Inc., the vendor of a secure Linux distribution.
"What all the hoopla is about is that Debian somehow let this patch that's been available for a month or two slip and got bitten by it," said Wreski.
As of Monday, patches that corrected the kernel bug had been issued for a number of Linux distributions, including Red Hat, Debian, and Mandrake Linux.
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
