Kernel bug allows full takeover of Linux devices
Researchers discovered a serious vulnerability in the Linux operating system kernel that could allow attackers to take full control of Linux devices, including PCs, Android phones and servers. The bug, dubbed CVE-2016-0728, involves the keyring facility used to retain security data encryption information in the kernel.
The vulnerability was discovered by researchers at Perception Point and allows a use-after-free exploit that they said was introduced with Linux kernel version 3.8 in February 2013. “As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices,” Perception Point wrote in a blog post.
A patch for the vulnerability “should already be in preparation for Linux distributions,” according to a statement published on Linux.com.
Perception Point stated that the team has not observed any exploits targeting the vulnerability in the wild, but recommend that “security teams examine potentially affected devices and implement patches as soon as possible”.