- Joined
- Nov 30, 2016
An alleged critical RCE security vulnerability in Linux has been uncovered by reputable security researcher Simone Margaritelli. Margeritelli made a post about this on his blog, and then privated his Twitter.
Simone Margitelli's post on the find
(Archive)
Margitelli posted a screenshot that implies he submit this bug to Canonical and Red Hat, who rated the vulnerability to have a CVSS of 9.9. If this is true, this bug would be more critical than the infamous Heartbleed, Spectre, and Meltdown exploits. Information is really limited right now about this bug, and also somewhat contradictory. I cannot find a public statement from Red Hat or Canonical confirming the existance of this bug, but have yet to deny it. This is typical for an exploit of this magnitude. However, according to Security Online, both insitutions have confirmed its severity:
Security Online Article
(Archive of Article)
Full disclaimer, this thing could be totally overhyped/overblown right now. Its going to take a few weeks before all the information comes out. It wouldn't be the first time a vulnerability has been overhyped to pressure the dev into fixing it. Regardless, I think it would be really funny if a historic RCE exploit is discovered the week after Null switches back to Linux. In the mean time, Linux users should make sure to keep their systems up to date.
Code Jew explains vulnerability:
Simone Margitelli's post on the find
* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago.
* Full disclosure happening in less than 2 weeks (as agreed with devs).
* Still no CVE assigned (there should be at least 3, possibly 4, ideally 6).
* Still no working fix.
* Canonical, RedHat and others have confirmed the severity, a 9.9, check screenshot.
* Devs are still arguing about whether or not some of the issues have a security impact.
I've spent the last 3 weeks of my sabbatical working full time on this research, reporting, coordination and so on with the sole purpose of helping and pretty much only got patronized because the devs just can't accept that their code is crap - responsible disclosure: no more.
The writeup is gonna be fun, not just for the technical details of it, not just because this RCE was there for more than a decade, but as a freaking example on how NOT to handle disclosures.
Like, I write software, I get it, I get how someone can be defensive about the stuff they write, I really do. But holy sh, if your software has been running on everything for the last 20 years, you have a freaking responsibility to own and fix your bugs instead of using your energies to explain to the poor bastard that reported them how wrong he is, even tho he's literally giving you PoC after PoC and systematically proving your assumptions about your own software wrong at every comment. This is just insane.
Just wanted to add for the sake of clarity, that i have *so much respect* for the people at Canonical that have been trying to help & mediate from the beginning, I really don't know how they manage to keep their cool like this.
This is going to be the writeup opening statement. It's an actual comment from the github conversation. I mean, it's not wrong ...
And YES: I LOVE hyping the sh1t out of this stuff because apparently sensationalism is the only language that forces these people to fix.
* Full disclosure happening in less than 2 weeks (as agreed with devs).
* Still no CVE assigned (there should be at least 3, possibly 4, ideally 6).
* Still no working fix.
* Canonical, RedHat and others have confirmed the severity, a 9.9, check screenshot.
* Devs are still arguing about whether or not some of the issues have a security impact.
I've spent the last 3 weeks of my sabbatical working full time on this research, reporting, coordination and so on with the sole purpose of helping and pretty much only got patronized because the devs just can't accept that their code is crap - responsible disclosure: no more.
The writeup is gonna be fun, not just for the technical details of it, not just because this RCE was there for more than a decade, but as a freaking example on how NOT to handle disclosures.
Like, I write software, I get it, I get how someone can be defensive about the stuff they write, I really do. But holy sh, if your software has been running on everything for the last 20 years, you have a freaking responsibility to own and fix your bugs instead of using your energies to explain to the poor bastard that reported them how wrong he is, even tho he's literally giving you PoC after PoC and systematically proving your assumptions about your own software wrong at every comment. This is just insane.
Just wanted to add for the sake of clarity, that i have *so much respect* for the people at Canonical that have been trying to help & mediate from the beginning, I really don't know how they manage to keep their cool like this.
This is going to be the writeup opening statement. It's an actual comment from the github conversation. I mean, it's not wrong ...
And YES: I LOVE hyping the sh1t out of this stuff because apparently sensationalism is the only language that forces these people to fix.
Margitelli posted a screenshot that implies he submit this bug to Canonical and Red Hat, who rated the vulnerability to have a CVSS of 9.9. If this is true, this bug would be more critical than the infamous Heartbleed, Spectre, and Meltdown exploits. Information is really limited right now about this bug, and also somewhat contradictory. I cannot find a public statement from Red Hat or Canonical confirming the existance of this bug, but have yet to deny it. This is typical for an exploit of this magnitude. However, according to Security Online, both insitutions have confirmed its severity:
Security Online Article
A critical security vulnerability affecting all GNU/Linux systems—and potentially others—has been identified by renowned security researcher Simone Margaritelli. The vulnerability, which allows for unauthenticated remote code execution (RCE), has been acknowledged by major industry players like Canonical and Red Hat, who have confirmed its severity with a CVSS score of 9.9 out of 10.
Margaritelli disclosed the existence of the vulnerability approximately three weeks ago but withheld specific details to allow developers time to address the issue. Despite this, there is currently no working fix available. Discussions between the researcher and developers have led to an agreed timeline for disclosure:
Canonical and Red Hat have not only confirmed the vulnerability’s high severity but are also actively working on assessing its impact and developing patches. However, some developers are reportedly debating the security impact of certain aspects of the vulnerabilities, which may be contributing to the delay in releasing a fix.
The lack of detailed information has left both individual users and security experts in a state of heightened concern. Without knowing which specific components, functions, or versions are affected, organizations are unable to take proactive measures to protect their systems.
Moreover, the absence of CVE assignments raises questions about the coordination and communication between security researchers, vendors, and the organizations responsible for vulnerability enumeration.
While a CVSS score of 9.9 indicates critical severity, it’s important to approach the situation with a balanced perspective. Not all high-severity vulnerabilities are easily exploitable in real-world scenarios. For instance:
While awaiting the full disclosure and subsequent patches, users and administrators should:
Margaritelli disclosed the existence of the vulnerability approximately three weeks ago but withheld specific details to allow developers time to address the issue. Despite this, there is currently no working fix available. Discussions between the researcher and developers have led to an agreed timeline for disclosure:
- September 30: Initial disclosure to the Openwall security mailing list.
- October 6: Full public disclosure of the vulnerability details.
Canonical and Red Hat have not only confirmed the vulnerability’s high severity but are also actively working on assessing its impact and developing patches. However, some developers are reportedly debating the security impact of certain aspects of the vulnerabilities, which may be contributing to the delay in releasing a fix.
The lack of detailed information has left both individual users and security experts in a state of heightened concern. Without knowing which specific components, functions, or versions are affected, organizations are unable to take proactive measures to protect their systems.
Moreover, the absence of CVE assignments raises questions about the coordination and communication between security researchers, vendors, and the organizations responsible for vulnerability enumeration.
While a CVSS score of 9.9 indicates critical severity, it’s important to approach the situation with a balanced perspective. Not all high-severity vulnerabilities are easily exploitable in real-world scenarios. For instance:
- CVE-2024-7589: An SSH remote code execution vulnerability initially scored at 9.8 was later reevaluated to 8.1 due to the difficulty of exploitation.
- CVE-2024-38063: A Windows system RCE vulnerability with a CVSS score of 9.8 drew significant attention but was deemed very difficult to exploit after thorough analysis by security experts.
While awaiting the full disclosure and subsequent patches, users and administrators should:
- Stay informed by following updates from trusted security news sources and official vendor communications.
- Review and enhance existing security measures, such as firewalls and intrusion detection systems.
- Prepare for rapid deployment of patches once they become available.
Full disclaimer, this thing could be totally overhyped/overblown right now. Its going to take a few weeks before all the information comes out. It wouldn't be the first time a vulnerability has been overhyped to pressure the dev into fixing it. Regardless, I think it would be really funny if a historic RCE exploit is discovered the week after Null switches back to Linux. In the mean time, Linux users should make sure to keep their systems up to date.
Code Jew explains vulnerability:
