CISA Adds Critical Linux Kernel Vulnerability to its KEV Catalog
CISA has issued a warning about three new vulnerabilities that are being actively exploited. These vulnerabilities pose a significant risk to organizations and should be patched immediately. Among them, CVE-2017-1000253 is a critical Linux kernel vulnerability that could lead to privilege escalation by a local attacker.
As a frequent target for malicious actors, the Linux kernel is central to many enterprise systems. Therefore, unpatched vulnerabilities can expose these systems to significant risks.
Let’s explore these vulnerabilities that have been added to CISA’s Known Exploited Vulnerabilities Catalog and the proactive steps necessary to mitigate them, particularly focusing on the Linux kernel vulnerability
Linux Kernel Vulnerability: CVE-2017-1000253
This vulnerability was identified in Linux distributions that did not patch their long-term kernels with a critical update in April 2015. The issue lies within how the load_elf_binary() function of the Linux kernel maps PIE binaries into memory. When CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE is enabled and a normal top-down address allocation strategy is used, the function fails to allocate enough memory for the entire binary. This oversight causes subsequent segments to overwrite the gap between the stack and the binary, leading to a buffer overflow that can be exploited by attackers.
The flaw was fixed with the kernel commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86, but many systems remained unpatched, making them vulnerable to exploitation.
ImageMagick Vulnerability: CVE-2016-3714
Another vulnerability added to the CISA catalog is CVE-2016-3714, also known as “ImageTragick.” This vulnerability, present in ImageMagick before versions 6.9.3-10 and 7.x before 7.0.1-1, allows remote attackers to execute arbitrary code by sending maliciously crafted images. The flaw stems from improper input validation, where shell metacharacters in the image are processed, leading to command execution on the target system.
SonicWall’s SonicOS Vulnerability: CVE-2024-40766
The third vulnerability, CVE-2024-40766, was identified in SonicWall’s SonicOS that could allow unauthorized access to firewall resources. This vulnerability affects Gen 5, Gen 6, and Gen 7 devices running older versions of SonicOS. Attackers could exploit this flaw to bypass access controls and potentially cause firewall crashes, posing a risk to network security.
Patching Linux Kernel Vulnerabilities
The CVE-2017-1000253 vulnerability within the Linux kernel is an important reminder that kernel-level security issues can have devastating effects if left unpatched. Federal agencies are required to comply with Binding Operational Directive (BOD) 22-01, which mandates the remediation of vulnerabilities listed in the Known Exploited Vulnerabilities Catalog. However, CISA strongly urges organizations outside the federal government to adopt similar practices to reduce their attack surface.
For Linux system administrators, regular kernel patching is a critical component of a secure IT environment. Some strategies to mitigate vulnerabilities like CVE-2017-1000253 include:
Timely Patch Management: Ensure that all Linux distributions are running up-to-date kernels that have patched known vulnerabilities.
Live Patching: For enterprises that cannot afford downtime, live patching tools like KernelCare Enterprise can be implemented to apply security patches without having to reboot the system. KernelCare also automates the deployment of patches, ensuring they are applied immediately when available. This reduces the risk of missing or delayed patches.
The KernelCare team has already deployed a live patch for CVE-2017-1000253. You can track the availability of live patches for Linux kernel vulnerabilities across various distributions using TuxCare’s CVE tracker.
Source: CISA Alert