According to a number of Linux distributors, a bug in the udev service under Linux can be exploited to obtain root privileges. The kernel uses udev to dynamically create device-specific files and folders (/dev/) for input and output, so that only devices which are actually connected appear in /dev. udev is not a direct component of the Linux kernel, but is included and activated by default in almost all Linux distributions which use 2.6 series kernels.
By sending crafted Netlink messages to udev, an attacker can create a globally writable block device file for an existing block device – including, according to Fedora, the root file system. By manipulating or creating files, this can reportedly be exploited to obtain root privileges.
The bug was discovered by Sebastian Krahmer from the SUSE Security Team, who found a further vulnerability in udev in the process in the form of an integer overflow in a function for decoding the path. This bug can also reportedly be exploited for a heap overflow. At present, however, it is clear only that the second bug can be used to crash udev. The Fedora team does not rule out the possibility that a user logged onto the system (locally or remotely) could exploit it to obtain root privileges. The Linux distributors have either already released or are currently preparing updated packages that address the vulnerability.