Jann Horn, the Google Project Zero researcher who discovered the Meltdown and Spectre CPU flaws, has a few words for maintainers of Ubuntu and Debian: raise your game on merging kernel security fixes, you’re leaving users exposed for weeks.
Horn earlier this week released an “ugly exploit” for Ubuntu 18.04, which “takes about an hour to run before popping a root shell”.
The kernel bug is a cache invalidation flaw in Linux memory management that has been tagged as CVE-2018-17182, reported to Linux kernel maintainers on September 12.
Linux founder Linus Torvalds fixed it in his upstream kernel tree two weeks ago, an impressively fast single day after Horn reported the issue. And within days it was also fixed in the upstream stable kernel releases 4.18.9, 4.14.71, 4.9.128, and 4.4.157. There’s also a fix in release 3.16.58.
But Horn points out that some Linux distributions are leaving users exposed to potential attacks by not reacting fast enough to frequently updated upstream stable kernel releases.
As soon as the patch is adopted in the upstream kernel, the patch is made public, and at this point an attacker could use it to develop an exploit, Horn explains.
However, end users of Linux distributions aren’t protected until each distribution merges the changes from upstream stable kernels, and then users install that updated release.
Submitted by: Arnfried Walbrecht