Vulnerability allows restricted users and apps to gain unfettered root access.

For almost three years, millions of servers and smaller devices running Linux have been vulnerable to attacks that allow an unprivileged app or user to gain nearly unfettered root access. Major Linux distributors are expected to fix the privilege escalation bug this week, but the difficulty of releasing updates for Android handsets and embedded devices means many people may remain susceptible for months or years.

The flaw, which was introduced into the Linux kernel in version 3.8 released in early 2013, resides in the OS keyring. The facility allows apps to store encryption keys, authentication tokens, and other sensitive security data inside the kernel while remaining in a form that can’t be accessed by other apps. According to a blog post published Tuesday, researchers from security firm Perception Point discovered and privately reported the bug to Linux kernel maintainers. To demonstrate the risk the bug posed, the researchers also developed a proof-of-concept exploit that replaces a keyring object stored in memory with code that’s executed by the kernel.

The vulnerability is notable because it’s exploitable in a wide array of settings. On servers, people with local access can exploit it to achieve complete root access. On smartphones running Android versions KitKat and later, it can allow a malicious app to break out of the normal security sandbox to gain control of underlying OS functions. It can also be exploited on devices and appliances running embedded versions of Linux. While security mitigations such as supervisor mode access prevention and supervisor mode execution protection are available for many servers, and security enhanced Linux built into Android can make exploits harder, there are still ways to bypass those protections.

Update, Jan. 20, 1:48 PST: In a post published a day after this post went live, Google said company researchers don’t believe any Android devices are vulnerable to exploits by third-party applications. It also said researchers believe that the number of Android devices affected is “significantly smaller than initially reported.” Google will nonetheless issue an update in March that patches the vulnerability.

“As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets),” Perception Point researchers wrote. “While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible.”

FURTHER READING

Powerful, highly stealthy Linux trojan may have infected victims for years

While malware distributors have focused most of their resources over the years on infecting computers running Microsoft Windows, they have put increased focus on attacking competing OSes. In 2014, for instance, researchers uncovered a powerful Linux trojan that may have remained undetected for years as it siphoned sensitive data from government agencies and pharmaceutical companies. A vulnerability like the one reported by Perception Point can be the means for surreptitiously installing such malware. The bug is indexed as CVE-2016-0728. Major Linux distributions are expected to make fixes available as early as Tuesday.