Fedora has become something you can't run if security matters much

December 11, 2016

As I write this, it is early in December 11th, my time. CVE-2016-8655 was announced in public on Monday December 5th my time (and Linux distributors informed earlier) and an exploit was released a day later as promised, on Tuesday December 6th. As I noted on Twitter, Fedora did not release updates in anything like a timely manner. Right now as I write this, Bodhi's kernel updates page and the packages linked from it says that kernel updates to fix this issue have only entered the updates-testing repository a few hours ago. They are not yet pushed to general updates.

(Bodhi is Fedora's web based updates management system. Knowing about it is useful if you want to check in on what updates may be working their way through things or if you want to see what's coming for a particular package.)

CVE-2016-8655 is a bad exposure. It gives anyone with local access to the system root access, and there's been a public exploit for some time (while it doesn't work out of the box on any Fedora version, that would almost certainly be easy to change; all it appears to need are some symbol addresses from /boot/System.map-*). And unlike on Debian or Ubuntu, user namespaces (the enabler of this issue) are configured on and cannot be disabled without rebuilding your kernel. All of this has not been enough to get a fast kernel update out of Fedora, for whatever reasons.

I've been using Fedora from when it was Red Hat Linux, but right now I am extremely glad that I only run it on my office workstation and my home machine, both of which have no one else who can log in to them. If we ran Fedora machines that allowed general logins (as we do for Ubuntu machines) or that were important, we would have had to (re)build our own kernels, either with user namespaces turned off or with hand-integrated kernel patches.

This isn't a new development and I've been concerned about it before, but this is by far the largest and most dangerous security issue that Fedora has let sit around so far. At this point it appears likely that it'll be a week from the public announcement (and almost a week from the exploit being available) before Fedora officially releases a fix. If security matters much on your machines, this is not something that you can really live with.

All of which leads me to the inevitable but sad conclusion: Fedora is no longer a Linux distribution that you can use on machines where security matters. Single-user machines where the machine owner is already has root access and that don't run any services? Sure, that's reasonably okay; you can probably get away with leaving a local root exploit sitting around for a week, since the odds are that no one is going to chain eg a Firefox local code execution vulnerability with the local root exploit in order to own your box. But a multi-user machine or something running important services that have to stay up? Exploits left open for a week aren't likely to be something you can live with.

(I don't currently have any views on alternatives to Fedora or any thoughts on what I'm going to do in the long run. In the short run I'll probably look the other way, convince myself I can get away with it, and keep running Fedora.)

Written on 11 December 2016.
« My view of using a docked laptop as my main machine
Realizing that I'm not actively attracted to FreeBSD for my desktop »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Dec 11 02:01:11 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.