14 DAY TRIAL // Security researchers from Perception Point have uncovered a new zero-day in the Linux kernel that affects both the Linux operating system and the Android mobile OS. Successful exploitation of this flaw (CVE-2016-0728) gives attackers root access to the impacted devices.
According to the researchers that discovered this flaw, the zero-day is a local privilege escalation vulnerability in the Linux kernel that originates from a reference leak in the keyring utility.
The Linux keyring facility stores login information in an encrypted format, making it available for other applications and drivers when they need it.
The zero-day resides in the Linux keyring utility
As Perception Point developers explain, the keyring feature also gives applications the extra option of tinkering with cryptographic keys and even replacing them when needed.
This process can be hijacked, and an attacker taking advantage of this unnecessary feature can fool the keyring application into executing malicious code in the kernel.
Security researchers have informed the Linux team who will be deploying patches in the upcoming days. Proof-of-concept code is also available on GitHub.
Zero-day existed in the kernel since 2012
The vulnerability was introduced in the Linux kernel in 2012. Any Linux PC running version 3.8 or higher of the Linux kernel is vulnerable, regardless of whether it's a 32-bit or 64-bit architecture.
All Android devices running KitKat or higher are also affected, which currently account for about two-thirds of the Android ecosystem. The zero-day also affects Android devices because Google built the Android OS on top of an older version of the Linux kernel.
Linux OS versions that deploy the SMEP (Supervisor Mode Execution Protection) and SMAP (Supervisor Mode Access Protection) make exploiting this vulnerability a lot more difficult. The same thing is also valid for Android devices with SELinux.
At the rate smartphone manufacturers and mobile telcos deploy security updates for their devices, this zero-day is probably not going away pretty soon. Things should move along faster on desktops, where most Linux OSes come with an automatic update feature.