Ubuntu to shutter year-old clock unlock bug

Canonical wonk says external hack not even remote


Ubuntu's latest edition contains a local access escalation flaw first reported a year ago that allows users to tinker with the system clock to become a root user.

The attack, reported by Linux lover Mark Smith, isn't colossally risky as it impacts only local users; those with existing access to a machine.

Smith has chided Ubuntu for 'falling behind Debian'.

"Congratulations, Ubuntu team. You have now fallen behind Debian's Stable Release in a security update to sudo, despite several releases in between," Smith says in a Ubuntu mailing list .

"This has been fixed, fully fixed, for over a year now. Epic fail."

But Canonical engineer Tyler Hicks says the bug, which allows users to access the clock without authentication, is low severity and will be fixed when version 15 is released later this year.

"We will fix this issue in the next Ubuntu release (15.10) by including sudo 1.8.10 or newer," Hicks says in a

"Due to the issue’s low severity and considering our practice of prioritising resources on publishing security updates that fix issues of greater security impact, we may fix this issue in stable releases of Ubuntu in the future if another sudo vulnerability of higher severity is found or if new details emerge regarding this issue."

Hicks says the flaw likely does not permit privilege escalation for remote attackers.

"I don't see a way for an attacker, without physical access, to use an arbitrary code execution vulnerability in combination with the issue that you've described in this bug to elevate his/her privileges," he says.

Admins would instead need to gift attackers with an unlocked desktop.

Smith says attackers could guess the required parameters with about five minutes of brute forcing on a relatively slow machine. ®


Keep Reading

Biting the hand that feeds IT © 1998–2021