US Government Warns of Severe CopyFail Bug Affecting Major Versions of Linux (techcrunch.com) 47
An anonymous reader quotes a report from TechCrunch: A severe security vulnerability affecting almost every version of the Linux operating system has caught defenders off-guard and scrambling to patch after security researchers publicly released exploit code that allows attackers to take complete control of vulnerable systems. The U.S. government says the bug, dubbed "CopyFail," is now being exploited in the wild, meaning it's being actively used in malicious hacking campaigns. [...] Given the risk to the federal enterprise network, U.S. cybersecurity agency CISA has ordered all civilian federal agencies to patch any affected systems by May 15.
None of my machines has the module loaded. (Score:4, Informative)
grep -qE '^algif_aead '
And none of my machines has that module loaded, happily.
Re:None of my machines has the module loaded. (Score:5, Informative)
It still does if it's not a module, which is true for many Linux distributions that have it compiled-in.
I have tested them and they were vulnerable even though that "grep" command said it was not loaded (because it's not a module in many distros).
Re: (Score:2)
Indeed. Which should have been obvious enough and said often enough to state that as well: It can be compiled in. Update your kernel.
This "use" probably just means it is easier to do than other local privilege escalations (which are really often possible). These are not initial exploits, which matter the most. And if you cannot trust your users, you are screwed anyways.
Re: None of my machines has the module loaded. (Score:2)
Re: (Score:2)
~ $ modinfo algif_aead
filename:
(so it is a loadable
~ $ grep CONFIG_CRYPTO_USER_API_AEAD
CONFIG_CRYPTO_USER_API_AEAD=m
(so it is configured as a loadable module)
~ $ lsmod | grep algif_aead
(returns nothing, so it is not loaded)
Re: None of my machines has the module loaded. (Score:2)
Re: None of my machines has the module loaded. (Score:1)
Distrubtions with compiled in module: (Score:5, Informative)
Don't be so self-assured. For the following distributions you can't unload the module as it is compiled in the kernel and would not show up in /proc/modules either. These distributions cover a FUCKING HUGE market share for Linux:
Distributions with algif_aead compiled in (vulnerable as of early May 2026):
Ubuntu: 20.04 LTS, 22.04 LTS, 24.04 LTS.
RHEL-family: Red Hat Enterprise Linux 10.1 (and earlier), AlmaLinux, Rocky Linux, Oracle Linux, CloudLinux.
Amazon Linux: Amazon Linux 2023.
SUSE: SUSE Linux Enterprise 16 and earlier.
Others: Debian (all active releases), Arch Linux, and Fedora.
Embedded: Many Yocto BSPs, NVIDIA Jetson, and Ubuntu Core.
Is yours among them?
Re: (Score:3)
This really points to a couple of things being true.
1) Distributions build too much stuff in and not enough as modules.
2) It's a PITA to build everything as a module, which helps explain 1)
I've built a lot of Linux kernels over the years, fewer in recent ones but still have done it occasionally. And it's the same now as then in that building a kernel which is more modular means running into more gotchas.
Re:Distrubtions with compiled in module: (Score:4, Interesting)
FWIW AlmaLinux didn't wait for Red Hat - they tested their own fixes and have now released new kernels to address this.
https://almalinux.org/blog/202... [almalinux.org]
Re: (Score:2)
FYI, seeing the same on Ubuntu server 24.04 - it's built as a module, not loaded by default, and the test exploit fails.
Same for a few versions of Devuan I tested.
IMHO, the copyfail website is doing people a disservice by stating:
The same 732-byte Python script roots every Linux distribution shipped since 2017.
This may be a far reaching issue, but they're definitely exaggerating.
There should also be a better "am I vulnerable" script. The exploit, if successful, isn't something you want to run (leaves /usr/bin/su effectively hacked). If the exploit fails, it's not clear why (unless you un
Re: (Score:2)
Is yours among them?
Nope. Plus SELinux, configured properly, completely mitigates the attack.
Re: (Score:1)
You've listed Debian in error here. At least up through current stable, it's a module on x86/x86_64 kernels. I can't speak for their ARM kernels or whatever is in testing/stable, as I haven't tested them recently.
Re: (Score:1)
*I meant to type testing/unstable there, but I'd be surprised if it was any different. Compiling that shit in statically is a classic RedHat move.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
(I assume it's astroturf, paid for by RedHat.)
15 years or so of coverage. Pretty nasty. (Score:2)
Nothing before late 2017 was impacted. LPE only. (Score:1)
Re: (Score:2)
I know most of the children around here consider 9 years to be "all versions" but to me that's laughable
There are two dangerous people in the world: newbies, and experts. The newbies don't know what they are talking about, and the experts are so certain they are blind to the reality of the world around them. We are talking security here. 9 years may not be "old" for your pet project, but in the world of production systems 9 years already covers every major version of Linux currently under support without paying for an expensive maintenance agreement, and that includes LTS releases. This includes every current
Re: Nothing before late 2017 was impacted. LPE onl (Score:2)
9 years isnt a long time for anyone except kids and Gen Z. There are probably a shitload of embedded systems with kernels older than 9 years and probably some old phones and tablets still around too. Sure, for external facing systems you need to be up to date, but plenty of corps dont upgrade the firewalled backend servers for a long period because they Just Work and new kernel can mean new bugs and new failure scenarios not to mention app compatibility issues. See: Cobol.
So get off your high horse sonny an
Re: Nothing before late 2017 was impacted. LPE onl (Score:2)
9 years isnt a long time for anyone except kids. There are probably a shitload of embedded systems with kernels older than 9 years and probably some old phones and tablets still around too. Sure, for external facing systems you need to be up to date, but plenty of corps dont upgrade the firewalled backend servers for a long period because they Just Work and new kernel can mean new bugs and new failure scenarios not to mention app compatibility issues. See: Cobol.
So get off your high horse sonny and when you
Re: (Score:1)
If you want to split hairs then sure, call it modern Linux
I did, but you "but sekuritee!!" folks were bound to get unglued anyway, because someone brought up something older (you did, in fact). I've noticed you're one of those people who seems to hate the idea that someone runs an old system somewhere for any reason. So, I'll mention that I know someone who runs an IRIX 6.5.30 system on the open Internet and has done so for the last 20+ years and never been hacked or compromised once, despite folks like you screaming bloody murder about how "insecure" that is. Of
Re: (Score:2)
Also, it's a bit of a lie to say it affects all version of Linux. ...
Agreed. I don't have the module loaded on any of the systems I've tested (about a dozen), and the exploit doesn't run either. This includes some recent and older Devuan systems, and some Ubuntu 24.04 servers.
It would be helpful if the proof of concept exploit had just a bit more to it. For example, it could print something saying you're not vulnerable to this exploit when it fails to open the socket, rather than a cryptic error. Slashdot won't let me paste what I get, mostly because the source code was obfu
Bias: Expect the current regime (Score:3)
to publicize Linux security breaches more vigorously then IOS or Microsoft security breaches. Closed source OS providers have historically had more vulnerabilities, but the US government tends to look the other way.
Why would they do this?
They want closed source solutions to be adopted over open source solutions.
The future the government wants is to ensure each user of a personal computer can be ID'd and tracked. Age verification is the wedge to force this onto every PC. Open source operating systems get in the way of this.
Re: (Score:2)
It's kind of a lame exploit, as it requires the attacker to already have console access on the box.
In most cases, if someone who doesn't work for your company already has that level of access, you already screwed up somewhere in your security stack.
Re: (Score:1)
or a crappy wordpress plugin (Score:2)
Or other crappy web application.
Re: (Score:2)
Cpanel?
https://www.malwarebytes.com/b... [malwarebytes.com]
Re: (Score:2)
I would think the main threat is from fooling users into running some downloaded executable code.
Re: (Score:1)
Re: (Score:2)
In most cases, if someone who doesn't work for your company already has that level of access, you already screwed up somewhere in your security stack.
While true, of course there's still the insider problem to contend with. We've seen plenty of cases where disgruntled employees decide to burn everything on their way out (and, sometimes, not even waiting until then...).
Re: (Score:2)
Re: (Score:2)
It's kind of a lame exploit, as it requires the attacker to already have console access on the box.
Or an exploit like log4j that gives it to them
Re: (Score:2)
That's pretty myopic thinking.
First of all, you're wrong. An attacker does not need "console" access but rather does need some kind of shell or execution ability. Given how sophisticated attacks today are often chains of vulnerabilities, I would not at all be surprised to see cPanel or other web vulnerabilities chained with this. Furthermore, if someone who doesn't work for you already has that level of access (meaning ability to execute a program on a computer), you already screwed up? Ok, and what if a tr
Re: (Score:2)
The fuck are you talking about. Literally 4 days ago The US government issued a warning about CVE-2026-32202 - a Windows bug.
There is a bias here, it's your observer bias.
Yep. Keep some older UNSAFE computers. (Score:3)
Re: (Score:2)
What hardware in Canada is "unwelcome"?
Re: (Score:1)
After watching Canada's naked assault on individual rights the last few years, I'd guess they'd b
Re: (Score:2)
It's clear that in places like the EU, Russia, Canada, or China, un-bugged non-surveillance-enabled computing is more and more unwelcome.
Canada is the home of OpenBSD [openbsd.org], which is not only open source, but was founded largely in response to strong cryptography being classified as a "munition" is the US.
Copy Fail: 732 Bytes to Root (Score:3)
“Copy Fail [copy.fail] (CVE-2026-31431) is a logic bug in the Linux kernel's authencesn cryptographic template. It lets an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system. A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.”
The government heard this only NOW? (Score:1)
I first hear about copyfail about a week ago and at that time they had detected no exploits in the wild. I patched the next day. In security circles, this is OLD news.
- BTW: there were also mitigations to prevent exploit in case you could not patch already available on day 1 of the announcements. So SOME security people knew earlier and had already taken action.
Several Linux distributions pushed out updates, patches, or early releases to prevent either anxiety or impact among their community.
Thanks guys!