[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#524373: linux-2.6: /dev/mem rootkit vulnerability

severity 524373 wishlist

On Thu, Apr 16, 2009 at 11:55:05AM -0400, Michael S. Gilbert wrote:
> package: linux-2.6
> severity: grave
> tags: security
> as seen in recent articles and discussions, the linux kernel is
> currently vulnerable to rootkit attacks via the /dev/mem device.  one
> article [1] mentions that there is an existing patch for the problem,
> but does not link to it.  perhaps this fix can be found in the kernel
> mailing lists.

This isn't a hole - it just describes a proof of concept of an
already-known way to hide yourself once you've already gained
escalated privileges on a system. The "fix" referred to is
presumably the CONFIG_STRICT_DEVMEM option (formally
CONFIG_NONPROMISC_DEVMEM). This option is included, but not enabled,
in the Debian 5.0.0 kernel. It is unlikely to get enabled within a
stable release because it will be disabling an interface that existing
applications may rely upon (the crash application is one I can think
of, off the top of my head). However, this option is enabled in the
2.6.29 kernel available in sid.

dann frazier

Reply to: