Google Project Zero is a security team responsible for discovering security flaws in Google"s own products as well as software developed by other vendors. Following discovery, the issues are privately reported to vendors and they are given 90 days to fix the reported problems before they are disclosed publicly. In some cases, a 14-day grace period is also given, depending on the complexity of the solution involved.
We have covered Google Project Zero"s findings extensively in the past as it has reported vulnerabilities in software developed by Google, Microsoft, Qualcomm, Apple, and more. Now, the security team has reported several flaws in CentOS" kernel.
As detailed in the technical document here, Google Project Zero"s security researcher Jann Horn learned that kernel fixes made to stable trees are not backported to many enterprise versions of Linux. To validate this hypothesis, Horn compared the CentOS Stream 9 kernel to the stable linux-5.15.y stable tree. For those unaware, CentOS is a Linux distro closest to Red Hat Enterprise Linux (RHEL) and its version 9 is based on the linux-5.14 release.
As expected, it turned out that several kernel fixes have not been made deployed in older, but supported versions of CentOS Stream/RHEL. Horn further noted that for this case, Project Zero is giving a 90-day deadline to release a fix, but in the future, it may allot even stricter deadlines for missing backports:
I am reporting this bug under our usual 90-day deadline this time because our policy currently doesn"t have anything stricter for cases where security fixes aren"t backported; we might change our treatment of this type of issue in the future.
It would be good if upstream Linux and distributions like you could figure out some kind of solution to keep your security fixes in sync, so that an attacker who wants to quickly find a nice memory corruption bug in CentOS/RHEL can"t just find such bugs in the delta between upstream stable and your kernel. (I realize there"s probably a lot of history here.)
Red Hat accepted all three bugs reported by Horn and assigned them CVE numbers. However, the company failed to fix these issues in the allotted 90-day timeline, and as such, these vulnerabilities are being made public by Google Project Zero. You can find some high-level details below:
- CVE-2023-0590: A use-after-free flaw in the Linux kernel because of a race condition, moderate severity, local attack vector
- CVE-2023-1252: Use-after-free vulnerability in the Linux kernel"s Ext4 File System that enables an attacker to crash the system or escalate privileges, moderate severity, local attack vector
- CVE-2023-1249: Use-after-free flaw in Linux kernel"s core dump subsystem that is difficult to exploit but can enable an attacker to crash the system, low severity, local attack vector
Now that the details of these security flaws in certain Linux kernels is public, it remains to be seen if Red Hat will be pressured in fixing them as soon as possible.