Wandering Thoughts archives

Fedora has become something you can't run if security matters much

As I write this, it is early in December 11th, my time. CVE-2016-8655 was announced in public on Monday December 5th my time (and Linux distributors informed earlier) and an exploit was released a day later as promised, on Tuesday December 6th. As I noted on Twitter, Fedora did not release updates in anything like a timely manner. Right now as I write this, Bodhi's kernel updates page and the packages linked from it says that kernel updates to fix this issue have only entered the updates-testing repository a few hours ago. They are not yet pushed to general updates.

(Bodhi is Fedora's web based updates management system. Knowing about it is useful if you want to check in on what updates may be working their way through things or if you want to see what's coming for a particular package.)

CVE-2016-8655 is a bad exposure. It gives anyone with local access to the system root access, and there's been a public exploit for some time (while it doesn't work out of the box on any Fedora version, that would almost certainly be easy to change; all it appears to need are some symbol addresses from /boot/System.map-*). And unlike on Debian or Ubuntu, user namespaces (the enabler of this issue) are configured on and cannot be disabled without rebuilding your kernel. All of this has not been enough to get a fast kernel update out of Fedora, for whatever reasons.

I've been using Fedora from when it was Red Hat Linux, but right now I am extremely glad that I only run it on my office workstation and my home machine, both of which have no one else who can log in to them. If we ran Fedora machines that allowed general logins (as we do for Ubuntu machines) or that were important, we would have had to (re)build our own kernels, either with user namespaces turned off or with hand-integrated kernel patches.

This isn't a new development and I've been concerned about it before, but this is by far the largest and most dangerous security issue that Fedora has let sit around so far. At this point it appears likely that it'll be a week from the public announcement (and almost a week from the exploit being available) before Fedora officially releases a fix. If security matters much on your machines, this is not something that you can really live with.

All of which leads me to the inevitable but sad conclusion: Fedora is no longer a Linux distribution that you can use on machines where security matters. Single-user machines where the machine owner is already has root access and that don't run any services? Sure, that's reasonably okay; you can probably get away with leaving a local root exploit sitting around for a week, since the odds are that no one is going to chain eg a Firefox local code execution vulnerability with the local root exploit in order to own your box. But a multi-user machine or something running important services that have to stay up? Exploits left open for a week aren't likely to be something you can live with.

(I don't currently have any views on alternatives to Fedora or any thoughts on what I'm going to do in the long run. In the short run I'll probably look the other way, convince myself I can get away with it, and keep running Fedora.)