SuSE warns of hole in Linux kernel

Linux distributor SuSE has warned of one of the most serious security holes to date in version 2.6 of the Linux kernel, which...

Linux distributor SuSE has warned of one of the most serious security holes to date in version 2.6 of the Linux kernel, which could allow attackers to shut down a system running 2.6-based software.

The 2.6 kernel, completed at the end of last year, brings a number of enterprise-friendly features to Linux, but is still in the early stages of rolling out in commercial products.

While a number of Linux suppliers have released software for technical enthusiasts running the new kernel, SuSE, which is owned by Novell, is one of the few offering an enterprise product based on 2.6.

Red Hat, for example, has backported many of the more important 2.6 features to the 2.4 kernel for use in Red Hat Enterprise Linux (RHEL), arguing that the older kernel is more stable, while MandrakeSoft has introduced 2.6 just for enthusiasts and not as an enterprise offering.

SuSE claimed to be the first to introduce 2.6 into a retail Linux operating system in the spring of this year with SuSE Linux 9.1.

The problem lies in the way the kernel handles iptables firewall logging, and only affects systems with iptables-based firewalls, such as SuSEfirewall2, SuSE said.

An attacker could use a malformed packet to shut down the system, according to SuSE's advisory, which ranked the bug nine out of 10 in severity.

As an alternative to updating the kernel, users can disable firewall logging of IP and TCP options, but this is not recommended. Products running the older 2.4 kernel - including the enterprise server products from Red Hat and MandrakeSoft - are not affected.

The bug affects SuSE Linux 9.1 and SuSE Linux Enterprise Server (SLES) 9; SuSE Linux 9.2 is not affected because the version of the kernel it uses, 2.6.8, already contains a fix.

At the same time, SuSE patched a less serious flaw that could have allowed a user to gain root privileges; this bug only affects SLES 9 on the S/390 platform.

In an advisory, Danish security firm Secunia gave the denial-of-service flaw only a moderately critical rating, because it does not allow attackers to compromise a system. This is only the second bug in 2.6 that has merited such a rating; the first was a denial-of-service bug publicised in July.

Matthew Broersma writes for

Read more on IT risk management