Author

Topic: [warning] Vulnerability in all major Linux distros gives full root privileges. (Read 189 times)

legendary
Activity: 3472
Merit: 10611
This is not such a big problem when we know small percentage of people running Linux operating systems compared to wiNd0ws and mac.
It is kind of off-topic but I guess people don't want to change, even if the change is significantly better. It is the same problem we have in bitcoin adoption. I did some search and was very surprised as how low the "open source" adoption is, 2% Linux usage as OS on PC, 2-3% usage of Firefox browser, maybe less than 1% usage of bitcoin, etc. This is while all these alternative open source options are way more superior to their closed source counter parts, not to mention that at this point they are very mature.
I'm very surprised and kind of disappointed to be honest..
legendary
Activity: 2240
Merit: 3150
₿uy / $ell ..oeleo ;(
Of course the range of affected devices is much larger than only the cold storage wallet, but in my case I have only a cold storage with Linux disto so that's why I noted only that in the OP.
Now the OP it's updated and included some more info.

legendary
Activity: 2072
Merit: 4265
✿♥‿♥✿
This is not such a big problem when we know small percentage of people running Linux operating systems compared to wiNd0ws and mac.
Furthermore, release fix will be released much quicker than it would on other operating systems, and there is temporary mitigation solution released.
If you are running your Bitcoin node on Linux you can apply temporary solution if you want to be sure, and you don't have to worry if you use your OS offline.

As I understand it, you just need to update the system, since some developers, for example, Ubuntu, have already released patches.
Does this mean that if we are renewed, we will be protected? I work on Linux, but I am not an advanced user, and I would not want to get into this muck out of inexperience.
As for Windows, I don't trust this system at all.
legendary
Activity: 2212
Merit: 7064
This is not such a big problem when we know small percentage of people running Linux operating systems compared to wiNd0ws and mac.
Furthermore, release fix will be released much quicker than it would on other operating systems, and there is temporary mitigation solution released.
If you are running your Bitcoin node on Linux you can apply temporary solution if you want to be sure, and you don't have to worry if you use your OS offline.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
And that's why you shouldn't run random application/script you found on internet, even if you use Linux.

This might be a bigger issue for a business that allows multiple employees to access a machine that has access to the business's hot wallet (or other secrets). In those cases, this is something that needs to be patched ASAP.

Application with lots of dependency also risky, i expect someone will try to perform supply chain attack on programming library.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
Are the linuxes or raspi boxes running hot wallets, nodes, electrum servers affected? I guess so.
And they are probably online 24/7, unlike cold storage that's meant to stay offline.

So the warning is important and big, just the targets.. may need to be updated.
copper member
Activity: 1652
Merit: 1901
Amazon Prime Member #7
As pooya87 explained, I don't think this is something that should affect any cold storage setup, as the only person (people) who should have access to the device(s) that contain cold storage private keys is (are) those who have the authorization to spend coin from cold storage.

This might be a bigger issue for a business that allows multiple employees to access a machine that has access to the business's hot wallet (or other secrets). In those cases, this is something that needs to be patched ASAP.
legendary
Activity: 2688
Merit: 3983
I did not understand the content of the article accurately, but as I understood it, it gives root privileges for an ordinary user, and therefore it is an account based problem (privileges to unprivileged user.)
Meaning that it will be affected by devices with multiple access or for several people and not for the average user with a single account.

In general, all systems are vulnerable to hacking, and Bitcoin provides the user with the advantage of generating keys without the need to connect to the Internet, which means that most of these bugs will not effect (if the user is able to physically remove all communication parts)
legendary
Activity: 2240
Merit: 3150
₿uy / $ell ..oeleo ;(
if you have a cold storage wallet with a Linux distro you could be affected.
Technically that shouldn't be an issue at all.
A cold storage by definition should not be accessible by anyone else remotely or physically, so there shouldn't be any way to use any kind of exploit on it.
Additionally you would use some sort of encryption on your cold storage, whether it is encryption provided by Linux itself (eg. encrypting home folder) or encrypting the wallet file itself (eg. encryption provided by Electrum). That means even gaining access to the data won't help the attacker.

I agree that with the cold wallets there are many walls to take down before getting to the honeypot, and most of the time it's impossible with the current available technology, but if you already have a massive door with advanced locker, why leaving it open?
legendary
Activity: 3472
Merit: 10611
if you have a cold storage wallet with a Linux distro you could be affected.
Technically that shouldn't be an issue at all.
A cold storage by definition should not be accessible by anyone else remotely or physically, so there shouldn't be any way to use any kind of exploit on it.
Additionally you would use some sort of encryption on your cold storage, whether it is encryption provided by Linux itself (eg. encrypting home folder) or encrypting the wallet file itself (eg. encryption provided by Electrum). That means even gaining access to the data won't help the attacker.
legendary
Activity: 2240
Merit: 3150
₿uy / $ell ..oeleo ;(
I know this is probably not the best place to post the thread, but if you have a cold storage wallet with a Linux distro you could be affected and only that, nodes, servers etc. Take precautions.

Quote
A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system, researchers warn today.

CVE-2021-4034 has been named PwnKit and its origin has been tracked to the initial commit of pkexec, more than 12 years ago, meaning that all Polkit versions are affected.

Part of the Polkit open-source application framework that negotiates the interaction between privileged and unprivileged processes, pkexec allows an authorized user to execute commands as another user, doubling as an alternative to sudo.

More info here: Linux system service bug gives root on all major distros, exploit released
Jump to: