back to article Linux security backfires: Flaw lets hackers inject malware into downloads, disrupt Tor users, etc

A flaw in the Linux kernel lets hackers inject malware into downloads and webpages, smash Tor connections, launch denial-of-service attacks, and more. This is a troubling security headache because Linux is used widely across the internet, from web servers to Android smartphones, tablets and smart TVs. The TCP/IP networking …

Facepalm

Patch incoming in... 3,2,1

Except for Android phones and smart TV's (and home routers?). Those will be screwed over.

Keep your torrents encrypted. :)

Now I'm expecting some clear and insightful comments from the MS fudslingers. Don't let me down guys.

12
12
Anonymous Coward

Re: Patch incoming in... 3,2,1

You're projecting, my dear chap...

8
4

Re: Patch incoming in... 3,2,1

"Except for Android phones and smart TV's (and home routers?). Those will be screwed over."

Most of that stuff is running kernels so old that they don't contain the affected code.

31
1

Re: Patch incoming in... 3,2,1

about device on my Galaxy S5 gives kernel version 3.10.61

0
0
Linux

Re: Patch incoming in... 3,2,1

"The flaw finders have developed and distributed a patch for this serious error, but that's still going to leave a lot of servers unpatched – and the exploit only requires one end of the communicators to be unpatched for the hack to work."

@Ropewash: I suspect that the 'fudslingers' will not be too voluble: see the first part of the quote from OA above. The BSD fixie riders might manage a smug smile.

The real question is how do we siphon off some small fractions of a % of the beelions that large Internet companies have made (annually) using software that has been written and distributed freely - the money to be used for the purpose of software audit and code checking?

4
6

Re: Patch incoming in... 3,2,1

why should users of this free software be responsible for testing it? Shouldnt the maintainers of the free software carry out the testing for it instead?

Consumers of the software just need to make sure it does what they want it to do, not that it does what everyone wants it to do.

Also, why should these "beelions" made by large Internet companies who use this free software pay for that testing? Especially when they need to pay people to support the free software they just decided to use?

Proprietary software for companies as large as you are alluding to normally comes with Enterprise support to provide 24/4 help to anyone using that software. Other companies pushing open source and free software also sell Enterprise support plans for this software. So when exactly does it become as free as you mention?

4
5
Anonymous Coward

Re: Patch incoming in... 3,2,1

"why should users of this free software be responsible for testing it? Shouldnt the maintainers of the free software carry out the testing for it instead?"

Er, you don't really understand from whom Linux comes, do you? And in case you're wondering, there's no piece of software anywhere that gives any guarantees of correctness, free or paid-for.

Though I will say one thing though about Linux: isn't it high time that the network stack got moved out of the kernel? Things like this point quite convincingly to the perils (never mind the performance problems) of putting such a large chunk of code in the kernel. This is too close for comfort to being able to take over a machine through it's stack.

7
1

Re: Patch incoming in... 3,2,1

Did you just call a BSD user a hipster?

Come now, that's such a horrid thing to say - just beyond the pale.

3
0
Silver badge

Re: Patch incoming in... 3,2,1

> Galaxy S5 gives kernel version 3.10.61

I though the Android kernel was forked off the Linux kernel at version 3.0 or so. Is Samsung different?

0
0

This post has been deleted by its author

Re: Patch incoming in... 3,2,1

"about device on my Galaxy S5 gives kernel version 3.10.61"

Some Linux-based systems use kernels with newer features backported to them, so the kernel version being reported won't necessarily tell you much. That's definitely the case with ChromeOS, I don't know if it applies to Android as well though.

0
0
Windows

Re: Patch incoming in... 3,2,1

"Did you just call a BSD user a hipster?"

Yup: based on my locally available sample: beard (tick), fixed wheeled bicycle (tick), lives in small flat with a balcony on which bike is parked (tick), wears shoes without socks (tick), likes a local independent coffee shop with tables made from plywood (tick).

Pity about the shell suit though.

5
0
Silver badge

Re: Patch incoming in... 3,2,1

>"Did you just call a BSD user a hipster?"

Web browsing mostly out of a OpenBSD VM is smart security practice. I guess that passes for hipster these days. Not to mention if I had to maintain internet facing servers OpenBSD would be my first choice. Wouldn't be worrying about this mickey mouse shit for example.

3
0
Anonymous Coward

Re: Patch incoming in... 3,2,1

>>. about device on my Galaxy S5 gives kernel version 3.10.61

errr that's nice. cheers

0
0

Re: Re: Patch incoming in... 3,2,1

"You're projecting, my dear chap..."

Perhaps. I was just thinking the MS guys might like to have a go at the Linux folks this go-round.

After all, we (myself included) don't miss many opportunities to give MS a well earned kicking when they're down.

However other responders were much better at reading the mood than I and it seems they're either above it or just couldn't be arsed. Too bad, I'm bored after work and enjoy reading the arguments.

0
0

Re: Patch incoming in... 3,2,1

@AC

So, you think that people should be responsible for carrying out unspecified testing on software they have either just purchased or agreed to use? Are you for real?

And for those people paying for an enterprise support package - they are also supposed to carryout some unspecified testing on whatever software they are using as well whilst paying for their enterprise support?

This has nothing to do with Linux, so not sure why you felt the need to pick that one out, maybe because it satisfies an argument you are having with yourself?

I think it is pretty clear you dont work at the enterprise level, so maybe you should keep your opinions to your self on these matters? At least until you know what you are talking about?

Oh, and I dont give a monkeys about what is in the Linux kernel.

0
0
Facepalm

Re: Patch incoming in... 3,2,1

Nexus 7 (2013) with all of the latest Marshmallow updates:

~$ uname -a

Linux localhost 3.4.0-g1fc765b #1 SMP PREEMPT Wed Jun 8 18:49:02 UTC 2016 armv7l

So no worries there - for once being on an ancient kernel is a blessing!

0
0
Roo
Unhappy

Nice hack

Neat hack. Slightly relieved that HTTPS & SSH still work. :)

6
0

Re: Nice hack

SSL, anyone? El Reg?

14
0
Anonymous Coward

Re: Nice hack

When using a secure connection (https, ssh, tor etc), you cant modify it, but with this you can end the session.

2
0

Re: Nice hack

So that's what's happening when we try to see el reg in https

2
0

meh

Where's my tinfoil thingamabob... OK, all good.

No way in hell would I implement the workaround. On a system with a high volume TCP load, I speculate that essentially removing rate limiting would open one up to stack saturation / buffer overflows with intentionally sent malicious packets. Or maybe that's the intention of this workaround that reads like a nation state armchair exploitation.

Agent N: Oy geeza, do this or you'll be owned -

Adminerd: Kk.

Agent N: lolz owned.

Adminerd: :[, barely had time to lick a boot.

6
1
Anonymous Coward

Re: meh

Stack saturation maybe, but I hope "buffer overflows" ain't gonna happen nowadays. I mean, EVERYONE must have heard of QA, liniting, defensive programming, not behaving like a clown who thinks he is skilled with obscure pointer arithmetic etc. nowadays.

Well, there will always be unskilled first-timers overly confident in their nomnexistent skills and barely aware of software development processes, but I hope they won't be near a network stack...

0
0
Anonymous Coward

Re: meh

>Well, there will always be unskilled first-timers overly confident in their nomnexistent skills and barely aware of software development processes, but I hope they won't be near a network stack...

IoT?

2
0
Silver badge

not linux fault then

the RFC has not been thoroughly tested and early adopters (or followers of standards) pay the price.

10
10
Silver badge

Re: not linux fault then

No, it's not Linux's fault ... as the article does note: while later versions of Linux are vulnerable to this attack, Windows, OS X and FreeBSD aren't vulnerable because they haven't fully implemented RFC 5961 as yet.

So, Linux is ahead of the game, but I'd hardly call it an "early adopter". RFC5961 is six years old and is designated a "PROPOSED STANDARD" (their caps) you might think a few others would have picked it up by now ... but then again RFC2460 is nearly 18 years old and we still don't have universal IPv6 support. Things do go slowly in standards-land, and perhaps that's just as well.

2
1
Anonymous Coward

Re: not linux fault then

The majority of RFCs these days seem to be a solution looking for a problem

0
0
Silver badge

At least it's an easy fix

/etc/sysctl.conf is quite a short config file. I notice the following in my Linux Mint installation:

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)

# Turn on Source Address Verification in all interfaces to

# prevent some spoofing attacks

#net.ipv4.conf.default.rp_filter=1

#net.ipv4.conf.all.rp_filter=1

I wonder why these haven't been enabled by default for a distribution that is obviously intended as a domestic computer. (Also, it shouldn't say "the next two lines", it should say "the final two lines".)

There is this one too:

# Do not accept ICMP redirects (prevent MITM attacks)

#net.ipv4.conf.all.accept_redirects = 0

#net.ipv6.conf.all.accept_redirects = 0

However, there is a comment that "Some network environments, however, require that these settings are disabled so review and enable them as needed."

8
0

Re: At least it's an easy fix

There is no benefit from these settings unless you are on a multihomed host - and chances are your home network isn't. *

And they break lots of multihomed setups.

So no, not good to have by default. I think Debian actually used to enable them by default but wisened up. At least I have lots of memories of doing routy stuff with Debian and repeatedly scratching my head as to why it wasn't working until I remembered to disable them.

* Actually, there is one use case on a single homed host: Efficiently blocking traffic from a long list of addresses/networks. Add routes for them via loopback and enable rp_filter. What rp_filter does is look up the sources of all incoming packets in the routing table and dropping the packets if the incoming interface doesn't match the route. And routing table lookups are a lot more efficient than stepping through firewall rules.

0
0
Alien

take me to your leader

# Log Martian Packets

#net.ipv4.conf.all.log_martians = 1

nice pointer to the /etc/sysctl.conf file thanks but now that I'm looking at it I'm thinking this particular option should be switched on by default

3
0
Silver badge
Alien

Re: take me to your leader

For an internet-facing PC port (e.g. firewall) that makes sense, but behind NAT you really don't want a log of all 192.168.0.0/16 packets!

9
0

Re: take me to your leader

Not realy..It will log every private IP it sees and since you're most likely connected to a network that uses private ip ranges...(here in the office in the 10.0.0.0/8 range and at home 192.168.0.0/16 range for example)...so if you like to fill your logging with it...go ahead

3
0
Silver badge
Coat

Re: take me to your leader

@ UKHobo:

Log martians yes, but even on an INSIDE network, use your syslog to ratelimit or filter them. If you have one or two phones on the network, a TV and perhaps a reasonably new printer you'll go nuts chasing them all down.

0
0
Silver badge
Joke

Won't you think of the children?

From the picture all of the UCR researchers are foreign looking.

Can't even pronounce their names.

Sweet Jesus, Donald, where are you when we need you?

.

.

.

.

.

.

.

.

.

.

Sort of joking, but have you noticed how many US security researchers (mathematics based generally) seem to be Asian? Loads of Chinese and Pakistani/Indian names? Are they better at maths than their Western counterparts due to early training? Or just all round brighter?

2
1
Silver badge

Re: Won't you think of the children?

More dedicated in my view. The grad student I was paired with had her own theorem in econometrics. She was from India which has a very fine tradition in maths. That was in the early '90's when I went back to college for a second go at, you probably guessed it, UCR. It was my mother's alma mater as well. She earned her Ph.D. when she was 49, and UCR was just as ethnically diverse back then, too.

2
1
Silver badge

Re: Won't you think of the children?

Sweet Jesus, Donald, where are you when we need you?

I wonder if he knows Jesus was a towelhead?

7
0
Silver badge
Joke

Re: Won't you think of the children?

He's a Red Sea pedestrian and proud of it :)

8
0
Anonymous Coward

Re: Won't you think of the children?

Asians/Indians are burning bright (and also numerous) while Whitey is out tweeting like a dumb fuck, Jews have lost their hunger and Blacks are there because of affirmative action.

So there we go.

(Anon obviously because hella non-PC)

3
2
Silver badge

Re: Won't you think of the children?

Jesus, like Santa, is white!

I know this because they said so on a news channel...

https://www.youtube.com/watch?v=7XYlJqf4dLI

1
1
Anonymous Coward

Re: Won't you think of the children?

Sort of joking, but have you noticed how many US security researchers (mathematics based generally) seem to be Asian? Loads of Chinese and Pakistani/Indian names? Are they better at maths than their Western counterparts due to early training? Or just all round brighter?

You're forgetting the "yooge" population sizes of China and India (each over 1.2 billion) compared to the rest of the world, and familial pressures on children to succeed. There are several factors that help the stereotype.

2
0
Anonymous Coward

Re: Won't you think of the children?

And they have a totally different style of teaching.

http://www.ft.com/cms/s/0/11ed77a2-14eb-11e5-9509-00144feabdc0.html#axzz4H1ml1Wme

1
0
Anonymous Coward

Re: Won't you think of the children?

I will point out that there are some legitimate reasons why you see more foreign-born people in these positions. For one, American trained BS STEM graduates can often get high salaries. Depending on the field those figures can exceed $100,000/yr. For a lot of fields, the salary increase due to a MS or PhD degree is not substantial enough to convince graduates to go back to college for several more years. Furthermore, the undergraduate STEM students we produce in the US are much better trained than the international graduate students that we receive. This means that internationally educated graduates have a greater incentive to come to a US institution for further study, which puts them in a better position to be part of work like this after graduation.

There's also the point that, if the work is done at a university, then chances are most of the people working on it are graduate students, who as mentioned above are more likely to be of international background. It's also a lot easier for an international student to get an education in the US, than it is to find a job here afterwards.

While I'm speaking from a US perspective, I would expect the same holds true for other countries with a comparable academic tradition, like the UK.

1
0
Anonymous Coward

Re: Won't you think of the children?

Jesus was Jewish

3
1
Anonymous Coward

Re: Won't you think of the children?

Numbers are all one syllable in most asian languages - easier to process

0
0

Re: Won't you think of the children?

Well, considering he is a British, Dutch and Turkish origin - most of him coming from northern Europe...

0
0
Silver badge
Happy

Re: Won't you think of the children?

@AC

"Furthermore, the undergraduate STEM students we produce in the US are much better trained than the international graduate students that we receive".

The whole thing is fairly complicated. Listen to this American professor of theoretical physics at the City College of New York.

https://www.youtube.com/watch?v=CrE9z1JFT1Y

To put it bluntly, a country that does not understand the value of affordable education for each and every kid will end up with a uneducated population. A catastrophe for a democracy. And please, I am not laughing or mocking you, but this US election is just too revealing to go unnoticed around the world.

3
0
Anonymous Coward

Re: Won't you think of the children?

@downvoter

You mean Jesus wasn't Jewish? Did I get this wrong, is this factoid in dispute? Inquiring minds need to know!

1
1
Anonymous Coward

Re: Won't you think of the children?

"You mean Jesus wasn't Jewish? Did I get this wrong". Perhaps your comment was just a bit off topic, perhaps he was a Palestinian, perhaps he was a self hating Jew, perhaps he was white, perhaps he was not, perhaps you should just shut up.

0
2
Bronze badge

Re: Won't you think of the children?

More dumb ass Stereo typing

0
1
Silver badge

Re: Won't you think of the children?

Numbers are all one syllable in most asian languages - easier to process

Well the exception proves the rule, I guess: 「一」の読みは「いち」です。

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018