Eight-year-old security flaw in Linux kernel patched

Fourth 'old' security flaw in Linux kernel patched

Another serious years-old vulnerability in the Linux kernel has been patched - the fourth such ageing security flaw that has been patched in the Linux kernel recently.

The security flaw, CVE-2017-2636, was introduced to the code in 2009, but discovered and fixed by Positive Technologies' Alexander Popov.

"The vulnerability is old, so it is widespread across Linux workstations and servers," said Popov. "To automatically load the flawed module, an attacker needs only unprivileged user rights. Additionally, the exploit doesn't require any special hardware."

According to Positive Technologies, the flaw was introduced on 22 June 2009, but only uncovered on 28 February by Popov, who reported the vulnerability to Kernel.org, attaching a patch to fix it along with an exploit prototype.

Seven days later, the CVE-2017-2636 vulnerability was disclosed, and the security updates were published. The bug can also be mitigated manually with special rules that block kernel modules from loading, according to an advisory published by Positive Technologies. Popov claims that the flaw was uncovered using the Google code auditing tool Syzkaller.

Because of the age of the bug and the number of distributions that it will have been included in, it will be widespread - including in many embedded systems that are rarely updated, such as cheap digital video recorders (DVRs) sold to record images from CCTV cameras.

Other old Linux security flaws recently patched include the Dirty COW zero-day, reported in CVE-2016-5195, which was introduced in 2007, but only patched last year. It had been targeted after the flaw became widely known, before the patch was introduced.

Again, many embedded systems - especially in DVRs - will remain unpatched against the Dirty COW flaw.