Note: Spots is at her tech soapbox again! Better wait for the cool article coming tomorrow if you aren’t interested in all this silly code stuff (or just scroll to the end).
There’s a new vulnerability that was discovered in the Linux kernel, and perhaps the worst bit is that it isn’t new. It affects pretty much any kernel with the default configuration for the past 9 years. This is distro-agnostic; I’ve successfully run this exploit on every distribution I use (pre-update). And it is making me feel feelings that I do not like feeling, so I’m going to blog about them.
What of the phones?
One of the big issues that I’ve noted in communities ranging anywhere from LineageOS and GrapheneOS to postmarketOS is that most phones still use their vendor kernels. As in, the same kernel that was shipped with the device. As in, a kernel definitely not patched against this exploit. And since this is rooted in IPsec functionality – I’ll get to that later – pretty much any phone kernel is going to have that enabled so it can connect to a VPN.
I suppose it’s now more critical than ever to try to get Your Favourite Phone mainlined, because it is now incredibly dangerous to run an outdated kernel. Any RCE is now direct-to-root with this exploit out in the wild.
One of the worst parts about this is that the patch that fixes it is, from all of my understanding and reading, not one that is easily back ported. That means it’s going to be a tall task to fix on these vendor kernels unless you are able to manually configure a custom kernel and disable the IPsec support. Doesn’t sound entirely unreasonable, I suppose, unless you actually need it…
Finally a valid reason to dismiss old kernel versions out of paw
There have been a lot of people over the years who have asked me to package very old kernel versions for the Adélie Linux distribution. This is typically because “{random thing} worked great on this kernel”. I’ve always said that it was unwise to do this, and instead they should file a bug or start a thread or something with the kernel people.
Well, now I have a very hard security reason to never package old kernel versions. Note that of course this doesn’t include older LTS series kernels, which will have received patches (hopefully?) against this and other CVEs. I’m speaking of completely random, non-LTS releases. A very popular request at least used to be kernel 4.3, because it was apparently the last release that people used with user-mode setting on old Radeon cards. The problem is, we don’t ship the versions of Mesa or Xorg that would be able to use this!
But it was always so difficult to explain to people why I don’t feel comfortable packaging old kernels. Really, it’s because it gives no incentive to fix regressions or bugs – it makes complacency a feature when it should be a defect. But since no one cares about that, now it can also be a security decision!
do not @ me about the fact this CVE only goes back to 4.14.
We are going to see this for years to come
The number of Linux devices in the wild will boggle anyone’s mind. Virtually every digital TV set top box is running Linux. A significant number of cable modems are running Linux. Every Android phone ever made is running Linux. Digital signage runs Linux. Many smart TVs run Linux including all Android TV and Tizen TV models. Not to mention all the servers.
I don’t know how reliable this data is, but I found a report that stated Linux runs 64% of all servers. That means the vast majority of every database, Web site, phone bank, “smart thing” control system, you name it, is running Linux.
And I would bet “mansion in Islington” money on the fact that they are not all going to be patched. Part of it will be due to negligence – an IT team being unaware of a server on their network, an innocent consumer that didn’t know their “Thing” needed an update. Part of it will be due to not having good (or any) plans regarding updates and lifecycle management.
Make no mistake. We are going to see massive data thefts, crippling outages, and losses that will make your eyes water. And it will be because someone somewhere either didn’t take this seriously or didn’t know they needed to.
Closing thoughts
I have no way to close this article out on a positive note. Here’s a photo of a Dalmatian with a heart shaped nose, which the Internet has promised me is CC BY-NC-SA, courtesy of @hi.wiley:
That’s pretty much the only way I can make this better.