The working dead: The security risks of outdated Linux kernels
- 06 March, 2017 08:30
Linux kernel security vulnerabilities are often in the headlines. Recently it was revealed a serious kernel vulnerability remained undiscovered for over a decade. But, what does this mean in a practical sense? Why is security of the Linux kernel important? And, what effects do vulnerabilities have on older or obsolete kernels that are persistent in many devices?
Linux is king
Without doubt, Linux-based operating systems are incredibly popular: Three-quarters of IoT devices run Linux; two-thirds of online servers; and 70 per cent of tablets are Android (modified Linux kernel) based — Linux is everywhere!
This is partly because Linux is open source and freely available, which makes it attractive to developers who pay no licensing fees. Linux is frequently included software development kits (SDKs) by electronic-chip manufacturers. This provides developers with a reference platform to work from, and demonstrates hardware capabilities.
With a reference development platform, manufacturers can simply pick up the operating system and SDK, compile their own applications and be ready to ship new product. Unfortunately, these ready-to-go examples and operating systems are often quite old and often no longer supported.
But, why are older kernels such a problem? Who cares if your IoT toaster, or your car’s entertainment system isn’t cutting edge — right?
In a research paper from 2015, we found that three quarters of home and small-office Internet routers were running firmware with obsolete Linux kernels. Most of these were un-patched against many vulnerabilities — that is, they were susceptible to exploitation.
So, let’s take a dive in to the basics of the Linux kernel, why it’s important, and what it does. We’ll have a look at what happens when your kernel is no longer supported, and why ageing kernels can be a serious problem for device and network security.
Kernels, kernels everywhere!
It’s easy to forget that fully fledged operating systems are not confined to your desktop computers and servers; operating systems are everywhere. Most of us take for granted that our car’s satellite navigation system just works, our Internet connected fridge can email us, and inflight entertainment systems don’t crash while we’re watching Keeping Up with the Kardashians.
Even though your router only has a web interface and a few blinken-lights, and your IoT children’s toy sings lullabies (while spying on your kids), they have many things in common. They all run an operating system, there’s a good chance those operating systems are Linux based. Nearly all of these devices can run other software applications that can do just about anything.
The heart of your operating system
At the heart of your device’s operating system is the kernel. It’s the gatekeeper that controls everything. It manages hardware, user permissions, privileges, memory, software and interfaces. It’s the core of your operating system, and it’s critical that it’s secure.
The kernel is there to make things easy. It makes interactions between components more abstract, which means software developers don’t need to know about the inner workings of hardware or RAM to be able to create software that writes to a file, for example.
Say I’m a programmer and I want to save a text file, in just about every programming language the process is similar:
Open “cheesecake recipe.txt” for writing
Take cheesecake recipe from memory and shove it into the file
Close “cheesecake recipe.txt”
What happens behind the scenes is actually very complicated. If you think about the actual instructions the CPU is executing and all of the device interactions it’s insanely, ridiculously, stupidly complicated. There are entire textbooks devoted to kernel drivers and university courses that take entire semesters to superficially explain operating systems.
In our example, the process of writing a file involves kernel parts and drivers that manage memory allocation, file-system structures, hard disk drivers, character drivers, block drivers, chipset drivers, (the list goes on). The kernel manages all of these interactions so that programmers can conveniently open a file and save their cheesecake recipes.
If any of these kernel components is faulty, it could provide a foothold for hackers to breach your system. For example, if a file-system driver can’t handle extremely long filenames, hackers could potentially use that vulnerability to exploit the system.
Many security factors come in to play, when a part inside the kernel has a bug. Suddenly, your entire operating system and device could be vulnerable to exploitation because of a seemingly insignificant problem.
Kernel versions and fixing bugs
There’s no ‘one’ Linux kernel; the kernel is just a piece of software and like any other software application it has many versions. In fact, there are dozens of official Linux kernel versions and bazillions of unofficial ones. Being open source also means that any device engineer, programmer, or amateur hack can download it, fiddle with it and build their own custom version.
If you check the list you’ll see the Linux kernel has a numbering scheme just like most other software. It has a kernel version, major version, minor version, and a patch version. It can also have other letters and numbers that are often used to identify beta or release candidates and custom-built kernels.
To build a Linux kernel, the process is not particularly difficult. A determined amateur could (software gods permitting) compile a Linux kernel from source after a few hours of reading instructions, a little swearing and a lot of coffee.
Unfortunately, it’s this easy access that opens the door to vulnerabilities and configuration problems.
Kernel vulnerabilitiesJust like any software, the kernel is also susceptible to bugs. A common “Long Term Support” kernel version is 2.6.32, which can be found in everything from Internet routers, IoT devices and maybe even in the entertainment system on certain BMWs.
A quick vulnerability search on Linux kernel 2.6.32 currently shows 182 known vulnerabilities. Dozens of them are pretty serious.
First of all, don’t panic; these vulnerabilities don’t always apply to all kernel configurations. For example, if your device does not use Bluetooth, then a vulnerability in a Bluetooth component probably doesn’t affect you (though sometimes it’s hard to know how kernel components interact).
Another thing to keep in mind is which kernel versions are patched against a known vulnerability. For example, a vulnerability was found in a Linux network driver component related to L2TP. But, if we scroll down through the list of affected kernel versions we see that 220.127.116.11 is the last version that was vulnerable. This means users of officially maintained Linux kernel 18.104.22.168 and above are probably in the clear.
With both of these examples, affected kernels will need to be updated. But, what happens with the 2.6.32 kernel we’ve been looking at? It has been officially declared “End of Life”. This means that it’s no longer supported; the last official update came in mid 2016.
Consider for a moment, what does end-of-life mean for new vulnerabilities that are uncovered? The Linux community can’t keep updating old kernels indefinitely, so most likely the vulnerability will never be fixed.
In this case, the responsibility for updating the kernel falls back to the device manufacturer. But, manually patching kernels against specific bugs is much more complicated than simply downloading the latest supported version.
Some manufacturers subscribe to 3rd party services that provide kernel patches, while others might apply fixes themselves.
Or as we found, most devices simply won’t get updated, even your brand new router that you purchased last week could be running a kernel that’s obsolete with known flaws.
For this article I thought I’d do a quick spot-check on router kernel versions. I grabbed four firmware images from current models. Three of the four had obsolete kernels; one had a kernel from 2009; and the newest kernel (on a newly released device) was up-to-date but its kernel version is due to be discontinued next month.
Kernel versions matter! Because the kernel is the heart of your operating system, it manages everything including hardware, memory, applications and user privileges. If your kernel has a vulnerability, your device may be exploitable. Kernel vulnerabilities are discovered frequently, but only current kernel versions are being actively updated and fixed.
When it comes to devices, manufacturers and developers are ultimately responsible for providing a secure, well maintained operating system. Recently technology giant ASUS settled a dispute with the US Federal Trade Commission over insecure routers and cloud services. For many manufacturers the message doesn’t seem to have sunk in yet. It might take more legal action or even legislation to force manufacturers to take device security seriously.
With the explosion of Internet connected things, it’s incumbent on everyone in the technology industry to keep their eye on security. Rolling out a new bit of exciting tech, with an obsolete kernel and known vulnerabilities is quite simply, negligent.
Nikolai Hampton holds a Master's Degree in Cyber Security and is a director of Impression Research. He consults on matters of privacy, security, digital forensics, and incident response. His focus is on the correct application of cryptography. He is passionate about educating business on complex security issues. Follow Nikolai on Twitter: @NikolaiHampton