March 2022 - TuxCare

Introducing the State of Enterprise Linux Security Report

As regulations around cyber security tighten and the risks increase, have you ever wondered how your company’s IT processes rank compared to others? Are you patching your systems on time, or one the majority of organizations that take upwards of a month to deploy patches for known vulnerabilities?

As cyber security concerns become more prevalent and threat actors get more sophisticated, it has never been more important to be aware of the current State of Enterprise Linux Security Management. After a successful publication last year of our report on vulnerability management, TuxCare has worked with the Ponemon Institute to develop an updated version, providing a more in-depth understanding of the security risks and mitigation strategies currently in place for Enterprises. Just as the risks are global and can potentially affect every organization, sharing knowledge of how companies deal with security can provide the insights needed to develop and implement the correct strategies – or identify areas where your organization may be lacking and doesn’t even realize it.

Some of the findings were truly unexpected. In an industry where vulnerability awareness is a foundational process, and the response to such vulnerabilities is patching, it was impressive to discover that over 56% of organizations take more than four weeks to deploy patches for known important or critical vulnerabilities. This would be a worrying sign at the best of times, but it is even more important to consider in the current cyber security environment. What steps can be taken to improve this situation? Leaving systems unprotected for such a long period of time invites disaster.

Also, it is remarkable that about a third of organizations are not aware that the security of cloud-hosted systems is still their responsibility. This gap can induce a false sense of security and contribute to a large proportion of systems being left in a security limbo, where the only people looking at them are the threat actors.

On a more positive note, the rise of automation is indeed moving from the headlines to the actual day-to-day activities of IT teams. The standardization and repeatability of processes that come with it is a boon that would be hard to achieve with manual operations.

For these and many other interesting aspects related to Enterprise Linux Security, be sure to check the complete report, which you can find HERE.

“Dirty Pipes” in the Kernel

A few years ago, a vulnerability dubbed “Dirty Cow” (CVE-2016-5195) was in the spotlight for a while. It was a trivially exploitable privilege escalation path that basically affected any Linux distribution and was exploited in the wild extensively. That vulnerability abused the Kernel’s Copy-On-Write (COW) mechanism and was sometime later found to be remotely exploitable through web servers that allowed file uploads.

On the 7th of March of 2022, a similar vulnerability was disclosed, also affecting all recent Linux distributions, nicknamed “Dirty Pipe” (CVE-2022-0847). It lets an unprivileged user overwrite any file, or part of a file, in a Linux system, even read-only ones. Several variants have already been disclosed that allow for the replacement of SUID files.

Patches for CVE-2022-0847 will be made available through KernelCare in the coming days, and this post will be updated with availability information as each becomes ready. At this moment, vulnerable kernel versions include 5.8 and onwards, with the flawed commit having been backported to multiple 4.x versions as well.

[Update 9th March: Updates for RHEL 8 and Oracle EL 8 are now available for deployment. Further patches are being prepared for other distributions.

Update 10th March: Updates for CentOS8, Almalinux 8, Rocky Linux, Ubuntu 20.04, CloudLinux 8 and CloudLinux 7h are also completed and are going to show up on feeds.

Update 11th March: Another batch of updates released for Ubuntu 18.04, Proxmox VE5 and Proxmox VE6.]

To understand the underlying flaw behind CVE-2022-0847, it is important that we first offer some brief information regarding CVE-2016-5195. “Dirty Cow” was possible because a race condition was found in the Copy-On-Write subsystem within the kernel. As a result, an unprivileged user could write in otherwise unreachable memory locations through this flaw. This would “dirty” those memory locations, hence the name. Moving from this to an elevation of privilege is a trivial operation for any properly motivated malicious actor, and in fact, that is precisely what happened. While “Dirty Cow” started as a local-only exploit, it was soon discovered that web servers that had the option to accept uploads from users could also be used as an attack vector. Hence, the vulnerability turned out to be remotely exploitable.

Fast forward a few years, and now IT teams are faced with “Dirty Pipe”, or CVE-2022-0847 if you think nicknaming vulnerabilities is not a very professional thing to do. As the name suggests, the flaw this time lies in the pipe handling code. Pipes are used as a way to pass information between processes. The most visible way pipes are used is when chaining commands, passing the output from one to the next through a “pipe”. Note that pipes can be created directly in code rather than simply used in the shell by an end-user or script.

It turns out that code introduced in this commit to the Linux Kernel “refactored” the way pipe flags (a way to control pipe behavior) are handled. You can read the extensive process behind the discovery of this vulnerability here.

Long story short, it became possible to write user-controlled content at an also user-controlled location in any file within the system (note that, since everything in a Linux system is technically a “file”, new variants of this vulnerability may introduce new, as-of-yet unknown behaviors). For example, introducing new content into /etc/shadow, or other, more subtle, ways of manipulating a system.

Since the exploit code is trivial, it is already widely available online (while not a deterrent, we try to refrain from posting direct links to exploit code on our blog). Because pipes are a basic functionality of the Kernel, the potential risk posed by this vulnerability is very high. It is also noteworthy that several variants have already been found, where the same flaw is used to abuse other system components rather than just writing directly to otherwise unwritable files. It is not that far-fetched to imagine that remotely exploitable attack vectors will surface in the coming days, just like they appeared for “Dirty Cow” in 2016.

For a quick check customers might want to verify the kernel version in use. Kernels before 5.8 and starting with 5.16.11, 5.15.25, 5.10.102 are not affected. Other Kernel versions may depend on specific backporting policies by each vendor and are currently being evaluated.

Updates for RHEL 8, Oracle EL 8, CentOS8, Almalinux 8, Rocky Linux, Ubuntu 18.04, Ubuntu 20.04, Proxmox VE5, Proxmox VE6, CloudLinux 8 and CloudLinux 7h are now available for deployment through KernelCare Enterprise. Further patches are being prepared for other distributions. IT teams are strongly encouraged to patch this vulnerability as soon as possible. TuxCare’s patches for KernelCare Enterprise will be made available shortly, and this post will be updated to reflect the actual availability of these patches when each is released.

TuxCare’s KernelCare Enterprise is providing live patches for “Dirty Pipe” even when the original distribution vendor is not able to do so with their own live patching solution.

Through KernelCare Enterprise, receiving patches for this and other vulnerabilities can be done without disrupting running workloads or having to reboot systems. If you would like to know more about KernelCare Enterprise and other TuxCare products, please check here.

Key points to consider during your 7 days of KernelCare Enterprise POV

Proof of value (POV) is a key step in the buying process. It allows tech teams to test a product or service to find out whether it is fit for purpose, and a good match for the team’s needs. That’s why KernelCare offers a free seven-day period where you can test KernelCare for yourself.

It’s nonetheless a limited time period, and you need to make the best of it. In this article we outline some of the points you should think about when you try out KernelCare Enterprise in your organization. Continue reading “Key points to consider during your 7 days of KernelCare Enterprise POV”

Securing confidential research data through TuxCare live patching

The University of Zagreb’s Croatian Academic and Research Network (CARNet) faced a significant threat: like other educational institutions, its networks were under constant attack from cybercriminals. But the one obvious route to secure operations – regular patching – was difficult to perform consistently.

In this case study we examine how Mirsad Todorovac, CARNet system engineer at the University of Zagreb, discovered KernelCare Enterprise and how the product – a TuxCare service – helped the university to battle mounting cyber threats.

Continue reading “Securing confidential research data through TuxCare live patching”

Monthly TuxCare Update – February 2022

Welcome to the February instalment of our monthly news round-up, bought to you by TuxCare. We’re proud to be a trusted maintenance service provider for the Enterprise Linux industry. Thanks to our live patching solutions, we help maximize system security and uptime whilst reducing your maintenance workload and minimizing system disruption.

Continue reading “Monthly TuxCare Update – February 2022”


State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching