Researchers at Perception Point have identified a Linux bug that has existed, unnoticed, for the last four years. This bug can be maliciously exploited on Linux PC’s and servers, but it also affects all Android devices running any version of Android more recent than Jellybean.
The bug, indexed as CVE-2016-0728, arrived on the Linux kernel in version 3.8 and is located in the OS keyring. Researchers were able to create a proof-of-concept exploit that showcased the malicious capabilities of the bug by using it to replace a keyring object with code that was executed by the kernel.
“While the vulnerability has existed since 2012,” said researchers Tuesday, “our team discovered the vulnerability only recently, disclosed the details to the Kernel security team, and later developed a proof-of-concept exploit. As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets).”
The exploit they demonstrated, and others like it, could give those with physical access to Linux servers root access or let a devious-enough Android app alter core OS functions. Perception Point is encouraging security teams and developers to examine any affected software and begin producing patches to forfend against attack as quickly as they can.
The good news is that the this bug seems to be obscure enough that the more devious minds prowling the tech world haven’t seemed to pick up on it yet. “Neither [Perception Point] nor the Kernel security team have observed any exploit targeting this vulnerability in the wild,” the researchers said. Since fixes look like they’re going to be made available early next week, we may be able to breathe a sigh of relief. However, sources like Ars Technica are being reminded of the sneaky Linux trojan discovered in 2014 that had been sapping information from governments in 45 different countries for years without anybody noticing.
If you’re looking for more information regarding the technical nature of this bug, check out the original announcement at Perception Point. If you’re a Linux dev or security expert, we’d definitely be interested in hearing your take on this issue in the comments!