Image
Linux Security Flaw
Category

Affected has been the High-Level Data Link Control (HDLC) kernel module. 

It is the fourth severe Linux bug within the last 13 months, after the unbelievable glibc desaster (unnoticed for 8 years), Dirty Cow (9 years) and the kernel-code execution bug which allowed low-privilege processes to get full root accesses (11 years without getting fixed). Each one of them had the potential of taking a huge company like Microsoft down, if it happened to them.
And really, it's not funny anymore. Never has been in the first place.

Do you still believe in the myth that open source is a key ingredient for secure systems and services, and  that closed source is the devil? I'm sorry, but you are misled. This has rarely been more than an excuse to replace licence costs with cheaper manpower by a certain type of employers, but in the last year it became pretty obvious that open source does not increase security at all. The reason is simple: Nobody audits the fundamental codebases of the Kernel and supplemental software components, because this would be too expensive. And so such bugs go unnoticed by the community, while those who research the kernel code for zero day exploits also have zero interest in sharing their insights with anyone who doesn't pay big sums for the disclosure.

Actually, an opposite awareness begins to show its ugly face: Open Source increasingly becomes a security problem. For example, Amazon Web Services is not the (by far) most compromised Cloud service in the world because they are big. A more serious reality is that standard Open Source applications running on standard kernels and cheap Intel hardware has become one of the most relevant attack surfaces due to code profiling tools like Valgrind and non-isolated container environments like docker. Big attacks like the Playstation Network hack (Amazon) which had caused tens of millions dollars of damage would not have been possible without the use of open source on the server.


Even the kernel development teams have realized this, and switched from a disclosure policy to a non-disclosure approach by keeping any exploits they heard about "secret" until they fixed it. Except Google of course, but Google usually only acts as an advocate for free security information as long as it concern security issues their main competitors in the Cloud or phone market have.

Long story short: If you are in the security business (or any related one), please don't talk about Linux being more secure than anything else, especially if you don't have the funds to perform serious in-depth audits of each component you use, from the Kernel up to the application layer and openSSL. There's a reason why companies like IBM, Oracle or Microsoft employ hundreds of experts and academics who focus on nothing else. And it has an effect that distributors like Red Hat, Canonical and SUSE don't.

There's also a reason why, for examples, financial, military and other highly critical environments still use so-called "end-of-life" platforms like Red Hat Enterprise Linux 3, simply because an audit costs tens of millions. And don't forget that every involved supplier, from the developer to the Linux software distributor, strictly rejects any liability, or even Service Level Agreements in case an urgent hotfix will be needed within a fixed MTTR. 

Be smart, not religious. Use any technology you want, but use it where it is appropriate. And be aware that the times when attacks and defense happened mostly on the application layer are over.This will decrease your risk of being taken out of business significantly.

You can find the fixed HDLC kernel module code here: git.kernel.org. Have fun compiling your images, again.

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer