How To Patch and Protect Linux Kernel Zero Day Vulnerability CVE-2016-0728 [ 19/Jan/2016 ]

January 19, 2016February 18, 2016in CentOS, Debian / Ubuntu, Linux, RedHat and Friends, Security, Suse last updated February 18, 2016

A very serious security problem has been found in the Linux kernel. A 0-day local privilege escalation vulnerability has existed since 2012. This bug affects millions of Android or Linux applications to escalate privileges. Any server or desktop (32 or 64 bit) with Linux Kernel version 3.8+ is vulnerable. How do I fix this problem?

What is CVE-2016-0728 bug?

As per the original research post:

CVE-2016-0728 is caused by a reference leak in the keyrings facility. Before we dive into the details, letâ€™s cover some background required to understand the bug. It can successfully escalates privileges from a local user to root.

A list of affected Linux distros

Is my Linux distro version affected by CVE-2016-0728? The “Possible use-after-free vulnerability in keyring facility, CVE-2016-0728” are as follows:

Red Hat Enterprise Linux 7
CentOS Linux 7
Scientific Linux 7
Debian Linux stable 8.x (jessie)
Debian Linux testing 9.x (stretch)
SUSE Linux Enterprise Desktop 12
SUSE Linux Enterprise Desktop 12 SP1
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 12 SP1
SUSE Linux Enterprise Workstation Extension 12
SUSE Linux Enterprise Workstation Extension 12 SP1
Ubuntu Linux 14.04 LTS (Trusty Tahr)
Ubuntu Linux 15.04 (Vivid Vervet)
Ubuntu Linux 15.10 (Wily Werewolf)
Opensuse Linux LEAP 42.x and version 13.x
Oracle Linux 7

How do I fix CVE-2016-0728 on Linux?

Type the commands as per your Linux distro. You need to reboot the box. Before you apply patch, note down your current kernel version:
$ uname -a $ uname -mrs
Sample outputs:

Linux 3.13.0-74-generic x86_64

Debian or Ubuntu Linux

$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
Sample outputs:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
  git-man liberror-perl
Use 'apt-get autoremove' to remove them.
The following NEW packages will be installed:
  linux-headers-3.13.0-76 linux-headers-3.13.0-76-generic
  linux-image-3.13.0-76-generic linux-image-extra-3.13.0-76-generic
The following packages will be upgraded:
  linux-generic linux-headers-generic linux-image-generic
3 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 61.6 MB of archives.
After this operation, 271 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://security.ubuntu.com/ubuntu/ trusty-security/main linux-image-3.13.0-76-generic amd64 3.13.0-76.120 [15.2 MB]
Get:2 http://security.ubuntu.com/ubuntu/ trusty-security/main linux-image-extra-3.13.0-76-generic amd64 3.13.0-76.120 [36.8 MB]
Get:3 http://security.ubuntu.com/ubuntu/ trusty-security/main linux-generic amd64 3.13.0.76.82 [1,780 B]
....
...
.....
Setting up linux-image-extra-3.13.0-76-generic (3.13.0-76.120) ...
run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 3.13.0-76-generic /boot/vmlinuz-3.13.0-76-generic
run-parts: executing /etc/kernel/postinst.d/dkms 3.13.0-76-generic /boot/vmlinuz-3.13.0-76-generic
run-parts: executing /etc/kernel/postinst.d/initramfs-tools 3.13.0-76-generic /boot/vmlinuz-3.13.0-76-generic
update-initramfs: Generating /boot/initrd.img-3.13.0-76-generic
run-parts: executing /etc/kernel/postinst.d/zz-update-grub 3.13.0-76-generic /boot/vmlinuz-3.13.0-76-generic
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.13.0-76-generic
Found initrd image: /boot/initrd.img-3.13.0-76-generic
Found linux image: /boot/vmlinuz-3.13.0-74-generic
Found initrd image: /boot/initrd.img-3.13.0-74-generic
  No volume groups found
done
Setting up linux-image-generic (3.13.0.76.82) ...
Setting up linux-headers-3.13.0-76 (3.13.0-76.120) ...
Setting up linux-headers-3.13.0-76-generic (3.13.0-76.120) ...
Examining /etc/kernel/header_postinst.d.
run-parts: executing /etc/kernel/header_postinst.d/dkms 3.13.0-76-generic /boot/vmlinuz-3.13.0-76-generic
Setting up linux-headers-generic (3.13.0.76.82) ...
Setting up linux-generic (3.13.0.76.82) ...

Reboot the server:
$ sudo reboot

RHEL / CentOS Linux

$ sudo yum update $ sudo reboot
Sample outputs:

Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: centos.excellmedia.net
 * epel: mirrors.hustunique.com
 * extras: centos.excellmedia.net
 * updates: centos.excellmedia.net
Resolving Dependencies
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-327.4.5.el7 will be installed
---> Package kernel-devel.x86_64 0:3.10.0-327.4.5.el7 will be installed
---> Package kernel-headers.x86_64 0:3.10.0-327.4.4.el7 will be updated
---> Package kernel-headers.x86_64 0:3.10.0-327.4.5.el7 will be an update
---> Package kernel-tools.x86_64 0:3.10.0-327.4.4.el7 will be updated
---> Package kernel-tools.x86_64 0:3.10.0-327.4.5.el7 will be an update
---> Package kernel-tools-libs.x86_64 0:3.10.0-327.4.4.el7 will be updated
---> Package kernel-tools-libs.x86_64 0:3.10.0-327.4.5.el7 will be an update
---> Package ntp.x86_64 0:4.2.6p5-22.el7.centos will be updated
---> Package ntp.x86_64 0:4.2.6p5-22.el7.centos.1 will be an update
---> Package ntpdate.x86_64 0:4.2.6p5-22.el7.centos will be updated
---> Package ntpdate.x86_64 0:4.2.6p5-22.el7.centos.1 will be an update
---> Package python-perf.x86_64 0:3.10.0-327.4.4.el7 will be updated
---> Package python-perf.x86_64 0:3.10.0-327.4.5.el7 will be an update
--> Finished Dependency Resolution
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-229.11.1.el7 will be erased
---> Package kernel-devel.x86_64 0:3.10.0-229.11.1.el7 will be erased
--> Finished Dependency Resolution
 
Dependencies Resolved
 
======================================================================
 Package            Arch    Version                   Repository
                                                                 Size
======================================================================
Installing:
 kernel             x86_64  3.10.0-327.4.5.el7        updates    33 M
 kernel-devel       x86_64  3.10.0-327.4.5.el7        updates    11 M
Updating:
 kernel-headers     x86_64  3.10.0-327.4.5.el7        updates   3.2 M
 kernel-tools       x86_64  3.10.0-327.4.5.el7        updates   2.4 M
 kernel-tools-libs  x86_64  3.10.0-327.4.5.el7        updates   2.3 M
 ntp                x86_64  4.2.6p5-22.el7.centos.1   updates   543 k
 ntpdate            x86_64  4.2.6p5-22.el7.centos.1   updates    84 k
 python-perf        x86_64  3.10.0-327.4.5.el7        updates   2.4 M
Removing:
 kernel             x86_64  3.10.0-229.11.1.el7       @updates  131 M
 kernel-devel       x86_64  3.10.0-229.11.1.el7       @updates   32 M
 
Transaction Summary
======================================================================
Install  2 Packages
Upgrade  6 Packages
Remove   2 Packages
 
Total download size: 55 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs reduced 11 M of updates to 4.6 M (57% saved)
(1/8): kernel-headers-3.10.0-327.4.5.el7.x86_64. | 3.2 MB   00:17     
(2/8): ntp-4.2.6p5-22.el7.centos.1.x86_64.rpm    | 543 kB   00:03     
(3/8): ntpdate-4.2.6p5-22.el7.centos.1.x86_64.rp |  84 kB   00:00   
...
...
....
Installed:
  kernel.x86_64 0:3.10.0-327.4.5.el7                                  
  kernel-devel.x86_64 0:3.10.0-327.4.5.el7                            
 
Updated:
  kernel-headers.x86_64 0:3.10.0-327.4.5.el7                          
  kernel-tools.x86_64 0:3.10.0-327.4.5.el7                            
  kernel-tools-libs.x86_64 0:3.10.0-327.4.5.el7                       
  ntp.x86_64 0:4.2.6p5-22.el7.centos.1                                
  ntpdate.x86_64 0:4.2.6p5-22.el7.centos.1                            
  python-perf.x86_64 0:3.10.0-327.4.5.el7                             
 
Complete!

Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: centos.excellmedia.net * epel: mirrors.hustunique.com * extras: centos.excellmedia.net * updates: centos.excellmedia.net Resolving Dependencies --> Running transaction check ---> Package kernel.x86_64 0:3.10.0-327.4.5.el7 will be installed ---> Package kernel-devel.x86_64 0:3.10.0-327.4.5.el7 will be installed ---> Package kernel-headers.x86_64 0:3.10.0-327.4.4.el7 will be updated ---> Package kernel-headers.x86_64 0:3.10.0-327.4.5.el7 will be an update ---> Package kernel-tools.x86_64 0:3.10.0-327.4.4.el7 will be updated ---> Package kernel-tools.x86_64 0:3.10.0-327.4.5.el7 will be an update ---> Package kernel-tools-libs.x86_64 0:3.10.0-327.4.4.el7 will be updated ---> Package kernel-tools-libs.x86_64 0:3.10.0-327.4.5.el7 will be an update ---> Package ntp.x86_64 0:4.2.6p5-22.el7.centos will be updated ---> Package ntp.x86_64 0:4.2.6p5-22.el7.centos.1 will be an update ---> Package ntpdate.x86_64 0:4.2.6p5-22.el7.centos will be updated ---> Package ntpdate.x86_64 0:4.2.6p5-22.el7.centos.1 will be an update ---> Package python-perf.x86_64 0:3.10.0-327.4.4.el7 will be updated ---> Package python-perf.x86_64 0:3.10.0-327.4.5.el7 will be an update --> Finished Dependency Resolution --> Running transaction check ---> Package kernel.x86_64 0:3.10.0-229.11.1.el7 will be erased ---> Package kernel-devel.x86_64 0:3.10.0-229.11.1.el7 will be erased --> Finished Dependency ResolutionDependencies Resolved====================================================================== Package Arch Version Repository Size ====================================================================== Installing: kernel x86_64 3.10.0-327.4.5.el7 updates 33 M kernel-devel x86_64 3.10.0-327.4.5.el7 updates 11 M Updating: kernel-headers x86_64 3.10.0-327.4.5.el7 updates 3.2 M kernel-tools x86_64 3.10.0-327.4.5.el7 updates 2.4 M kernel-tools-libs x86_64 3.10.0-327.4.5.el7 updates 2.3 M ntp x86_64 4.2.6p5-22.el7.centos.1 updates 543 k ntpdate x86_64 4.2.6p5-22.el7.centos.1 updates 84 k python-perf x86_64 3.10.0-327.4.5.el7 updates 2.4 M Removing: kernel x86_64 3.10.0-229.11.1.el7 @updates 131 M kernel-devel x86_64 3.10.0-229.11.1.el7 @updates 32 MTransaction Summary ====================================================================== Install 2 Packages Upgrade 6 Packages Remove 2 PackagesTotal download size: 55 M Is this ok [y/d/N]: y Downloading packages: Delta RPMs reduced 11 M of updates to 4.6 M (57% saved) (1/8): kernel-headers-3.10.0-327.4.5.el7.x86_64. | 3.2 MB 00:17 (2/8): ntp-4.2.6p5-22.el7.centos.1.x86_64.rpm | 543 kB 00:03 (3/8): ntpdate-4.2.6p5-22.el7.centos.1.x86_64.rp | 84 kB 00:00 ... ... .... Installed: kernel.x86_64 0:3.10.0-327.4.5.el7 kernel-devel.x86_64 0:3.10.0-327.4.5.el7Updated: kernel-headers.x86_64 0:3.10.0-327.4.5.el7 kernel-tools.x86_64 0:3.10.0-327.4.5.el7 kernel-tools-libs.x86_64 0:3.10.0-327.4.5.el7 ntp.x86_64 0:4.2.6p5-22.el7.centos.1 ntpdate.x86_64 0:4.2.6p5-22.el7.centos.1 python-perf.x86_64 0:3.10.0-327.4.5.el7Complete!

Suse Enterprise Linux or Opensuse Linux

To apply all needed patches to the system type:
# zypper patch # reboot
Or version specific info:

SUSE Linux Enterprise Workstation Extension 12-SP1

# zypper in -t patch SUSE-SLE-WE-12-SP1-2016-124=1

USE Linux Enterprise Software Development Kit 12-SP1

# zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-124=1

SUSE Linux Enterprise Server 12-SP1

# zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-124=1

SUSE Linux Enterprise Module for Public Cloud 12

# zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-124=1

SUSE Linux Enterprise Live Patching 12

# zypper in -t patch SUSE-SLE-Live-Patching-12-2016-124=1

SUSE Linux Enterprise Desktop 12-SP1

# zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-124=1
To bring your system up-to-date, run
# zypper patch && reboot

Verification

You need to make sure your version number changed:
$ uname -a $ uname -r $ uname -mrs
The version of the kernel a system is running can be confirmed with the uname command. A list of bug fixed kernel version is as follows:

Ubuntu Linux 14.04 LTS : 3.13.0-76 (package version 3.13.0-76.120)
Debian Linux 8.x : 3.16.0-4 (package version 3.16.7-ckt20-1+deb8u3)
SUSE Linux Enterprise Server 12 SP1 : 3.12.51-60.25.1
RHEL 7 : 3.10.0-327.4.5.el7.x86_64
CentOS 7 : Same as RHEL 7.

Trying out exploit code

You can try proof-of-concept code to find out if your kernel is secure or not. Use the wget command to grab the sample code:
$ wget https://gist.githubusercontent.com/PerceptionPointTeam/18b1e86d1c0f8531ff8f/raw/5a90e6f98de85f35708087620de73bed3bf16880/cve_2016_0728.c
Compile it as follows (make sure you install the gcc compiler and keyutils developers libraries):
$ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall
Run it as follows:
$ ./cve_2016_0728 PP_KEY
The full exploit which runs on kernel, takes about 30 minutes to run on Intel Core i7-5500 CPU:

Fig.01: CVE-2016-0728 point of concept exploit code

However, on patched system the exploit will fail:

References

ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728)

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

31 comment

KroKite says:
January 19, 2016 at 9:05 pm
Oh! Please update the code for Debian and Ubuntu . Provide only :-
sudo apt-get update
Don’t let user’s jump into upgrade if they are not willing too.
Reply Report comment
1. Vivek Gite says:
  January 20, 2016 at 7:58 am
  Thanks for the heads up. I’ve updated the page.
  Reply Report comment
P4 says:
January 19, 2016 at 9:08 pm
sysctl -w kernel/kptr_restrict=1 should do the job too.
Reply Report comment
BradErz says:
January 19, 2016 at 9:37 pm
Heya,
Which is the patched kernel version for CentOS7?
Maybe nice to include that in the post.
Reply Report comment
1. Hoezowie says:
  January 22, 2016 at 12:56 am
  What? Can’t read?
  RHEL / CentOS Linux
  The package will be released soon on both CentOS and RHEL 7
  Reply Report comment
Sympatiko says:
January 20, 2016 at 2:01 am
So it’s been there since 2012. It means most of the linux system exposed on the public has a high probability of being a bot.
Reply Report comment
1. Jeff says:
  January 20, 2016 at 12:10 pm
  Not likely. The vulnerability was discovered by Perception Point, and did not just appear live already in use. Today’s announcement almost certainly follows on the heels of a disclosure process that started 2 weeks ago. Critical vendors and operators have probably been patched for a while now.
  Reply Report comment
2. Jeff Palmer says:
  January 20, 2016 at 1:20 pm
  local exploit, so if you have a “linux system exposed on the public” does not necessarily mean a high probability..
  The attacker would need a local account first, so hopefully you’ve kept up on your other safe computing practices (security updates applied in reasonable time, firewalls/acls, etc)
  Reply Report comment
Jerry says:
January 20, 2016 at 3:46 am
CentOS 6 is also affected if you’re using Xen4CentOS.
Reply Report comment
knut says:
January 20, 2016 at 10:04 am
should’t it be
sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
(3 x sudo ?)
Reply Report comment
1. Vivek Gite says:
  January 20, 2016 at 5:59 pm
  Yes. Sorry about that.
  Reply Report comment
Eduardo Hernacki says:
January 20, 2016 at 11:38 am
Oracle Enterprise Linux 6 with UEK Kernel (3.8) should also be included in the list.
Reply Report comment
Alex.Computeman says:
January 20, 2016 at 4:46 pm
Debian’s “dist-upgrade” command miss “sudo” that actually updating kernel
Change
sudo apt-get update && sudo apt-get upgrade && apt-get dist-upgrade
to
sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
Reply Report comment
1. Vivek Gite says:
  January 20, 2016 at 5:46 pm
  Thanks for the heads up!
  Reply Report comment
Curtis Starnes says:
January 20, 2016 at 8:20 pm
I have a couple of comments/questions;
Question 1: As BradErz asked, what kernel version are we looking for that has been patched?
Question 2: If this vulnerability has been around for 3 years, why is CentOS 7 affected while CentOS 6 is not? Just curious.
Reply Report comment
1. Vivek Gite says:
  January 20, 2016 at 9:15 pm
  This bug affects kernel version 3.8 and above. CentOS 7/RHEL 7 comes with version 3.10. CentOS 6 or older has 2.6.xx series kernel. So they are not affected.
  Reply Report comment
Natalia says:
January 20, 2016 at 10:34 pm
The Ubuntu system I built had the kernel version 3.16.0-40, and it was updated to 3.19.
So was 3.16-040 actually vulnerable in the first place?
The document says to update it to 3.13.0-76, so anything above that specific version should be good, right?
Is there something we can run to verify if the vulnerability is still there?
Reply Report comment
1. Vivek Gite says:
  January 20, 2016 at 11:33 pm
  The faq has been updated to include the PoC.
  Reply Report comment
  1. Natalia says:
    January 20, 2016 at 11:54 pm
    That’s awesome! Thank you Gite <3
    Reply Report comment
  2. Natalia says:
    January 21, 2016 at 12:04 am
    Just a small typo..
    it should be: .”/cve_2016_0728″ (instead of “./cve_2016_072”
    Reply Report comment
    1. Vivek Gite says:
      January 22, 2016 at 7:51 am
      Opps. I fixed it. I appreciate your feedback and time.
      Reply Report comment
linux3 says:
January 24, 2016 at 12:01 pm
Hi.in RHEL / CentOS Linux section you said that :”The package will be released soon on both CentOS and RHEL 7″
this means we cant patch this bug with sudo yum update and sudo reboot commands?
Reply Report comment
1. Vivek Gite says:
  January 24, 2016 at 2:44 pm
  Patch is already released. That was on 19th/Jan/2016. I will update the page soon.
  Reply Report comment
  1. Alexh says:
    January 25, 2016 at 10:07 am
    I can’t find any information about the update.
    According to Redhat the last kernel update was on 5th.
    kernel-3.10.0-327.4.4.el7.x86_64.rpm
    RHN and CentOS mailing list
    Reply Report comment
    1. Vivek Gite says:
      January 25, 2016 at 1:12 pm
      3.10.0-327.4.4.el7.x86_64 was released on 19th/Jan/2016. You need this version. I tested sample C and it didn’t worked. So the version I posted is 100% safe.
      Reply Report comment
      1. Alexh says:
        January 26, 2016 at 8:51 am
        that is strange:
        Here is the official update from 25.01.16
        https://rhn.redhat.com/errata/RHSA-2016-0064.html
        Reply Report comment
        Vivek Gite says:
        January 26, 2016 at 10:25 am
        You are right. It is fixed in 3.10.0-327.4.5.el7.x86_64. I just verified it:
        rpm -q --changelog kernel | grep -i cve-2016 - [security] keys: Fix keyring ref leak in join_session_keyring() (David Howells) [1298931 1298036] {CVE-2016-0728}
        The page has been updated. Thanks!
        Reply Report comment
George says:
January 25, 2016 at 6:45 am
and what about voyage linux?? has it vulnerability?? I’m using voyage 0.10.0 with 3.16.7- ckt9-voyage
Reply Report comment
ki4dkx says:
January 30, 2016 at 5:28 pm
I presume that mint 17.3 cinnamon is included here?
Reply Report comment
Jeffry Ghazally says:
February 17, 2016 at 8:08 pm
You miss-spelt uname in verification section: `umame`
Reply Report comment
Muddassir Nazir says:
March 6, 2016 at 5:05 pm
I suppose this vulnerability is for the servers or machines which have compiler access to unprivileged users enabled ?
Reply Report comment

nixCraft