A zero-day vulnerability in the Linux kernel puts "tens of millions" of PCs and servers, and roughly two-thirds of all Android devices, at risk, according to security researchers
The CVE-2016-0728 flaw was uncovered by a security research team at Perception Point, and is a local privilege escalation vulnerability that could be used to gain root access to devices. It has reportedly existed in the code since 2012.
The fault affects Linux kernel version 3.8 on 32-bit and 64-bit systems, and extends to Android KitKat versions 4.4 and higher.
Perception Point explained that the problem stems from a memory leak vulnerability in the Linux keyring facility that manages key security data, authentication details and encryption keys. The researchers said that the flaw could be exploited to expose this cached sensitive information.
"Even though the bug itself can directly cause a memory leak, it has far more serious consequences," the research team said in a blog post.
Perception Point's proof-of-concept demonstrates how unauthorised users can gain escalated privileged root access to the targeted device.
"It's pretty bad because a user with legitimate or lower privileges can gain root access and compromise the whole machine. With no auto update for the kernel, these versions could be vulnerable for a long time. Every Linux server needs to be patched as soon the patch is out," Yevgeny Pats, co-founder and CEO of Perception Point, told Threat Post.
The flaw could allow a malware-ridden application on Android-based smartphones, for example, to break out of the standard security sandbox to overtake vital operating system functions.
There is no evidence that the vulnerability has been exploited in the wild.
Perception Point has created a "simple" fix for the vulnerability, but the usual problems with the open source Google ecosystem mean that not all manufacturers will provide automatic or forced updates.
This would leave a large number of Android devices vulnerable to the exploit, especially older handsets that are no longer supported with security patches.
V3 contacted Google for comment but had received no reply at the time of publication.
Linux security teams have patches rolling out, as do other Linux distributions such as Suse Linux Enterprise. Red Hat has already released a fix.
Perception Point has published an in-depth technical analysis of the vulnerability and how to exploit it, and has published the proof-of-concept code on GitHub.
Intel wants to get inside your car, despite missing out on mobile
'We'll keep fighting to fight to keep the web free and open,' claim EFF
Breached in March by the same attackers, claim 'insiders'
And all for less than £150, according to Keith