Security professionals took note of a critical new vulnerability in the Linux kernel that could enable an attacker to gain root access to a vulnerable machine and take complete control of it. An unknown cracker recently used this weakness to compromise several of the Debian Projects servers, which led to the discovery of the new vulnerability.
This discovery has broad implications for the Linux community. Because the flaw is in the Linux kernel itself, the problem affects virtually every distribution of the operating system and several vendors have confirmed that their products are vulnerable. The vulnerability is in all releases of the kernel from Version 2.4.0 through 2.5.69, but has been fixed in Releases 2.4.23-pre7 and 2.6.0-test6.
On Tuesday, one day after the vulnerability was disclosed, exploit code for the flaw surfaced on the BugTraq security mailing list. The code is designed to run on x86 systems running any version of Linux. Also on Tuesday, more Linux vendors released updated packages containing fixes for the weakness. MandrakeSoft and Slackware Linux Inc., among others, issued new versions.
The vulnerability itself is an integer overflow in the brk( ) system call, which is a memory-management function. When the call invokes the do_brk( ) function, using user-supplied address and length variables, the call does not check for integer overflows when adding the variables, according to an analysis of the problem by Symantec Corp., based in Cupertino, Calif.
According to Symantec, this weakness would allow any local user with shell-level access to the system to escalate his privileges to root. This would allow the attacker to perform just about any task he chose on the machine. Symantec warned that the new flaw could be combined with any number of remote vulnerabilities to allow remote attackers to gain root access, as well.
RedHat Inc. and the Debian Project, both have released advisories warning customers of the issue and providing information on fixes. A slew of products from other vendors, including, MandrakeSoft S.A., SuSE Linux AG and Caldera International Inc., also are vulnerable.
According to Symantecs analysis, the exploit that the attacker used to compromise the Debian servers is not publicly available, but is apparently circulating in the cracker underground.
(Editors Note: This story has been updated since its original posting to include new information pertaining to the vulnerability.)