ClickCease cisa-warns-of-new-malware-exploiting-known-kernel-vulnerabilities

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

CISA Warns of New Malware Exploiting Known Kernel Vulnerabilities

by

November 10, 2022 - TuxCare PR Team

Last year, CISA created a list of vulnerabilities being actively exploited and a list of applications directly affected by those vulnerabilities. Over time, the list has been updated to reflect new and emerging threats.

Very recently, a new malware was discovered and CISA added two new vulnerabilities to that list, as they are being actively exploited by the malware to spread into new target systems.

The malware in question is called “Shikitega”, identified by AT&T’s Alien Labs in September. It targets systems running Linux, including IoT devices, and gains full system access by leveraging known exploits on the Linux kernel. So far, it has been used to deploy cryptocurrency miners to affected systems, but this type of malware is usually flexible enough to deploy different payloads to different targets (for example, ransomware instead of a cryptominer).

The two vulnerabilities are CVE-2021-4034 and CVE-2021-3493. Both were identified, as the identifier implies, in 2021, and both have patches available. The fact that there are still systems vulnerable to them speaks to how slow proper patching processes are in many organizations. 

CVE-2021-4034, better known by the name PwnKit, made the rounds across a number of news sites, facilitated by the fact that its exploit was both reliable and relatively easy to trigger and how widely spread it was –  as pkexec, its target, is present in most (all?) Linux systems. A more detailed description can be found in the TuxCare blog here.

The other vulnerability, CVE-2021-3493, is a bug in the overlayFS implementation, and was used in conjunction with PwnKit to obtain elevated privileges in the target systems.

By adding those vulnerabilities to the Known Exploited Vulnerabilities Catalog, CISA has provided a strict deadline to federal agencies by which they must fix those flaws in the systems they manage.

If you are still running systems not patched against these, and many other, Linux kernel vulnerabilities, you should consider a different approach to your patch management operations and consider a disruption-free alternative to traditional patching by using KernelCare’s Live Patching service. Vulnerabilities are patched quickly by KernelCare, providing the protection necessary to guard against Shikitega and other threats that could exploit them.

Summary
CISA Warns of New Malware Exploiting Known Kernel Vulnerabilities
Article Name
CISA Warns of New Malware Exploiting Known Kernel Vulnerabilities
Description
Last year, CISA created a list of vulnerabilities being actively exploited. Over time, the list has been updated to reflect new and emerging threats.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Help Us Understand
the Linux Landscape!

Complete our survey on the state of Open Source and you could win one of several prizes, with the top prize valued at $500!

Your expertise is needed to shape the future of Enterprise Linux!