Security Fix Released to a Linux Bug First Discovered Two Years Ago
A critical security vulnerability in Linux kernel that was first discovered over two years ago has now been patched. The bug could be exploited for privilege escalation and affects all Linux distros that hadn't fixed their long-term kernels after a commit that was released on April 14, 2015.
When it was first discovered by Michael Davidson, a security researcher at Google, back in 2015, the bug wasn't categorized as a security threat. Now, security team at Qualys says that "all versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable."
Linux bug discovered two years ago has been reclassified as a security issue
At the time of its initial discovery, it was believed that the bug would just cause a memory crash, however, Qualys has now discovered that "an unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system."
While the bug did receive a patch back in 2015, it wasn't believed if it could be used as an attack vector. Because of that, the fixes weren't sent to many Linux Long-Term Releases. Linux LTS releases deployed in enterprise usually only receive updates that are classified as security issue. While the bug, tracked as CVE-2017-1000253, doesn't affect normal Linux users who are running a recent kernel, it does affect critical server systems on older versions who could be vulnerable to this security bug.
"Linux distributions that have not patched their long-term kernels with
https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015) are vulnerable to CVE-2017-1000253, a Local Privilege Escalation," today's advisory reads.
Getting a severity score of 7.8 out of 10, multiple distros, including Debian and Red Hat, are now issuing patches to this security vulnerability for LTS versions that are using an older kernel branch.
Fo more details on this issue, visit Qualys' advisory issued earlier today.