A critical vulnerability in the Linux kernel that gives attackers access to root via X server has been patched by Linus Torvalds, says an industry report. Meanwhile, kernel developer James Morris reports on last week's Linux Security Summit (LSS), which covered topics including mobile and MeeGo security, usability issues, hardening the kernel, and Linux security API standardization.

Linux folk have long shown an almost smug — if for the most part justified — confidence in the superior security of their operating system, especially compared to Windows. Yet, as Linux takes on a greater role, especially in the server and mobile device worlds, the threat of malicious attacks grows larger.

Now, it turns out, Linux may not be quite as secure as we thought.

A "highly dangerous" privilege escalation vulnerability that would permit an attacker to execute arbitrary code as root from any GUI application via X server, was recently patched in the Linux kernel, writes Lucia Constantin on Softpedia. The flaw, which affects both x86_32 and x86_64 platforms, is said to have been present since the release of Linux 2.6.0.

The vulnerability was discovered by Rafal Wojtczuk, principal researcher at Polish security research firm Invisible Things Lab (ITL), and was first reported to the X.org security team in June.

As described by ITL founder Joanna Rutkowska in a blog post yesterday. Wojtczuk uncovered the vulnerability when he was working on a GUI virtualization project in ITL's own Qubes OS, an operating system that runs each application in a separate virtual machine.

A potential attack on the vulnerability would give an unprivileged user process access to X server, enabling any GUI application to unconditionally escalate to root, writes Rutkowska. An attack would not actually take advantage of any bug in X server, but rather takes advantage of communications flow between any GUI application, such as a sandboxed PDF viewer, and X server, explains Rutkowska.

A malicious PDF document could "bypass all the Linux fancy security mechanisms, and escalate to root, and compromise the whole system," she adds. 

On 13 August, Linus Torvalds (pictured) implemented an initial fix for the problem, and several patches have been added since then for kernel versions 2.6.27.52, 2.6.32.19, 2.6.34.4, and 2.6.35.2. Meanwhile, a Red Hat security advisory gave the bug a "high" severity rating, reports Rutkowska.

Yesterday, Wojtczuk published a paper on the flaw named, "Exploiting large memory management vulnerabilities in Xorg server running on Linux."

The vulnerability demonstrated the challenges of letting applications securely communicate with the GUI layer (via the X server in case of Linux), writes Rutkowska. This process "usually involves a very fat GUI protocol (think X protocol, or Win32 GUI API) and a very complex GUI server," she adds.

In her blog entry, Rutkowska also slips in a pitch for Qubes, which she says "is much more secure than other sandboxing mechanisms, such as BSD jails, or SELinux-based sandboxes." Qubes not only eliminates kernel-level exploits, but also "dramatically slims down GUI-level attacks," she claims.

Linux Security Summit tackles mobile security, usability issues

Linux kernel developer James Morris used a Namei.org to report on the first annual Linux Security Summit (LSS), which was held Monday, Aug. 9, in Boston, a day before the start of LinuxCon 2010.

The event sought to bring in members of the end-user community, as well as developers and security experts. Fewer end-users than expected joined the approximately 70 attendees, yet the first LSS was "a very productive and collaborative event," writes Morris.

Z. Cliffe Schreuders speaking on security usability at the LSS

Mobile security was one of the core issues discussed at the summit, "with the year of the Linux desktop now apparently permanently canceled due to smartphones and similar devices," writes Morris.

In particular, MeeGo developers discussed their progress on the MeeGo Security Framework, he adds. In the area of network device security, meanwhile, Stephen Hemminger of Vyatta presented on the topic of integrating security into a router, writes Morris.

Security usability was said to be the topic of several presentations, including a talk on high-level policy language work by Josh Brindle (Lolpolicy). Z. Cliffe Schreuders, meanwhile, spoke on his FBAC-LSM usability research project (see image above).

The issue of core kernel security also drew a lot of attention, although it does not appear that ITL's discovery of the GUI vulnerability was publicly discussed. Brad Spengler spoke on his experiences developing grsecurity, and there was said to be much discussion of some central challenges posed by Linux security.

As Morris, puts it, "As most of our protection mechanisms operate within the kernel, attacks on the kernel can render these mechanisms useless, so it is important to try and harden the kernel as much as possible."

According to Morris, some other challenges with implementing kernel security include core kernel developers who are not always receptive to enhanced security, as well as proposed solutions that are often not technically acceptable to upstream developers. In addition, there is limited security expertise in upstream projects, he adds.

Standardized Linux security APIs? Don't hold your breath

The LSS featured an opening panel discussion on the viability of developing a standard set of Linux security APIs. However, the general consensus was that there were too many fundamentally different security models to develop a set of security APIs such as one might find in a proprietary OS, writes Morris.

Other LSS discussions included sessions on "Out of Tree" security features, EVM (Extended Verification Module), security management, SELinux Sandbox, and SSSD.

The Linux Security Summit has its roots in the Linux security development community, which emerged with the development of the LSM (Linux Security Modules) framework, writes Morris. It is also said to build upon events such as the SELinux Symposium, as well as mini-summits at LCA (Linux.conf.au) events held in 2008 and 2009, and a double security track at the 2009 Linux Plumbers Conference.

Availability

The blog posting by ITL's Joanna Rutkowska on the repaired Linux vulnerability may be found here, and the Softpedia report should be here.

The blog report by James Morris on the first Linux Security Summit, complete with links to presentations, may be found here.

---

This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.