Ubuntu still vulnerable to time-twiddling hack
- 01 May, 2015 06:34
A security flaw in a common Unix software component remains unpatched in one of the most popular Linux distributions, more than a year after an official fix was published.
"Super do," which is universally shortened to "sudo" is a ubiquitous app that's been a part of Unix systems for decades. It allows users to run commands as though they had root access to the computer without having to log in as an administrator. This makes for a more secure environment.
The bug, however, means that it's possible to use an already logged-in account to gain root access to the system without knowing the password, simply by tinkering with the system date and time. User Mark Smith, who first reported the bug in August 2013, said that the issue affected Ubuntu 13.04 as well as some versions of OS X, generally if they don't require a password to change the system time settings.
Apple said in an email to Network World that it fixed the vulnerability in OS X itself soon after the bug was first reported in 2013, and a new version of sudo has been available since February 2014, which removes the bug.
However, Ubuntu has not incorporated the update, though Canonical engineer Tyler Hicks said in the bug tracker discussion that the fix will be implemented in Ubuntu 15.10 though that's not due out until October.
"After taking all of the details into account, I consider this issue to be low severity due to the mitigating factors involved," Hicks wrote. "Since there are many different ways to attack an unlocked desktop session, best security practices dictate all users lock their screens when not at their computer."
Smith, in the same thread, didn't mince words about the Ubuntu team's attitude toward the problem.
"This is a simple upgrade that even your parent distribution [Debian] has adopted for their stable [version]," he said. "Why ignore it for over a year?"
But 451 Research security analyst Adrian Sanabria said that it's not a catastrophic security flaw.
"The sky isn't falling," he said. "You need access to the system before you can do any of this, so that cuts down on your threat vectors/scenarios."
That said, however, the ability to fiddle with system time and date settings without a password could prove to be an indirect security headache, even if it doesn't wind up granting an attacker root access.
"If an attacker can mess with the time, they can give incident responders a really hard time piecing together what happened after the attack is over, since they can make the time wrong on everything," he told Network World. "Furthermore, if a [security information] or log collection/aggregation tool is set to purge logs based off the native log time (not the time the log was collected), the attacker could essentially be tricking the logging system into automatically deleting its own logs, covering the attacker's tracks."