On January 20, 2016, a new Linux Kernel zero-day vulnerability (CVE-2016-0728) was disclosed by Perception Point. The vulnerability has the potential to allow attackers to gain root on affected devices by running a malicious Android or Linux application.

Our investigation is ongoing; however, at this time we have not identified any Cisco products as exploitable. Should this change, we will publish a Security Advisory on the Cisco Security Portal.

Additional Background:
The Linux Kernel Zero-Day vulnerability has been present in Linux kernel code since 2012 and affects both 32 and 64-bit operating systems running Linux kernel 3.8 and higher.

Local access is required to exploit the flaw, which could allow lower privileged users to gain root access to the system. The vulnerability is the result of a reference leak in the keyrings facility built into some Linux distributions. The keyrings facility is primarily a way to encrypt and store login data, encryption keys and certificates, and then make them available to applications.

The reference leak may be exploited by attackers to ultimately execute arbitrary code in the Linux kernel. So far, no exploits have been discovered in the wild that take advantage of this vulnerability.

Perception Point has provided a technical analysis of the vulnerability and how it can be exploited, including a proof-of-concept (PoC) exploit code published on its GitHub page.

Perception Point also reported the flaw to the Linux team and patches were released on January 21, 2016. Devices with automatic updates configured will receive the fix.

For more information about the vulnerability you may reference the Cisco Multivendor Link.

Cisco Product Security Incident Response Team (PSIRT):
Cisco is committed to constantly improving the overall security of the products and services our customers rely on. As part of this commitment, we continually assess the security of software components used in our products. Open source software plays a key role in many Cisco products, and as a result, ensuring the security of these components is vital, especially in the wake of major vulnerabilities affecting the industry as a whole.

Cisco PSIRT continuously works with product teams and the industry to analyze the security impact threats have on our entire suite of products and release security information in accordance with our Security Vulnerability Policy.


John Klimarchuk

PSIRT Incident Manager

Security Research and Operations