A vulnerability has been found in the Linux kernel that has exposed tens of millions of Linux devices - PCs, mobile handsets including two-third of smartphones and tablets running Android to malicious attacks. The reportedly vulnerability has been around for almost three years. Major Linux distributors are expected to release a patch for the bug this week.
Dubbed as CVE-2016-0728, the vulnerability is said to affect Linux kernel version 3.8 or later and any operating system that is based on it. The reported flaw, if exploited, allows an attacker to perform kernel code execution and gain root level access on the targeted system.
The vulnerability resides in a component called keyrings that is designed to encrypt and store login information, keys, and certificates and push them to applications. The vulnerability was discovered by Israel-based security startup Perception Point, which added that it has seen no incidents of the exploitation of the aforementioned vulnerability.
"As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/ tablets)," Perception Point wrote in a blog post. "While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible."
As mentioned before, the keyring facility allows drivers to retain and cache security data, encryption and authentication keys, and other data in the kernel. These objects can be managed by userspace programs via available system call interfaces.
The problem is that many of the affected devices - especially Android smartphones - won't ever receive the security patch. Samsung, LG, and other device manufacturer are unlikely to push the update to their older handsets.
Perception Point hasn't disclosed the exact Android versions that are affected with the aforementioned vulnerability, though it is worth pointing out that at least version Android 4.2.2 or lower aren't affected with the bug as they are based on Linux kernel version 3.4 or lower.