Linux Kernel Vulnerabilities to Know (and Mitigate Without Reboot)

With the Linux open-source community, you have the power of developers to add to its codebase as well as improve features and performance. However, this environment also means that hackers have access to the source code, making Linux-based devices, including critical servers, susceptible to potential vulnerabilities.

Known vulnerabilities are reported to a centralized NIST vulnerability database where vendors, developers, and users can be aware of exploits that affect specific software versions. A Common Vulnerabilities and Exposures (CVE) report serves as a signal for users to promptly apply software patches, including those for the Linux kernel, to address the identified issue.

This article aims to help you find out about recent Linux kernel vulnerabilities – as well as provide solutions to mitigate them without having to reboot your servers and disrupt your services.

Linux Kernel Vulnerability 2023 

Every month, new CVEs are added to the publicly available NIST database and more than 130 vulnerabilities have already been discovered in the Linux kernel. A primary issue behind many of the biggest security breaches is unpatched software – or outdated versions of that software.

We will highlight several recently discovered CVEs that you should be aware of so that you can secure servers and devices.

Netfilter Linux Kernel Vulnerability CVE-2023-32233

CVSS 3.x Score: 7.8 (High) 

Netfilter is a framework for packet filtering and network address translation (NAT) in the Linux kernel. Tools such as UFW and IPtables are used to manage this framework. 

A new vulnerability was discovered in the Netfilter nf_tables due to the mishandling of anonymous sets. As a result, a local user can use this use-after-free vulnerability to gain root privileges and operate arbitrary read and write tasks on kernel memory.

Linux Kernel’s Netfilter Subsystem Vulnerability (CVE-2023-0179)

CVSS 3.x Score: 7.8 (High)

A buffer overflow vulnerability was also discovered in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.

Performance Events Vulnerability in Linux Kernel (CVE-2023-2235)

CVSS 3.x Score: 7.8 (High)

A use-after-free vulnerability was found in the Performance Events System of the Linux kernel. This vulnerability arose when the perf_group _detach function did not check the event’s sibling’ attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() before detaching from their group, making it possible to use a dangling pointer.

Linux Kernel SGI GRU driver Vulnerability (CVE-2022-3424)

CVSS 3.x Score: 7.8 (High)

A use-after-free vulnerability was discovered in the SGI GRU driver of the Linux kernel when the user called the first gru_file_unlocked_ioctl function, where a failed pass occurs in the gru_check_chiplet_assignment function. A local user can exploit this flaw to cause a system crash or escalate their privileges on the system.

Linux Kernel Ext4 File System Vulnerability (CVE-2023-1252)

CVSS 3.x Score: 7.8 (High)

A use-after-free vulnerability was discovered in the Ext4 filesystem of the Linux kernel when a user starts multiple file operations at the same time while using the overlay FS usage. A local user can use this flaw to crash the system or potentially escalate their privileges. 

There are other recent Linux kernel vulnerabilities found in the year 2023, which we have covered in our previous post: New Security Vulnerabilities Discovered in the Linux Kernel.

Some Linux Kernel Vulnerabilities that You Should Know About

In addition to the recent CVEs that we’ve talked about so far in this post, we’ve collected a few of the most important older CVEs that you should be aware of so that you can secure your Linux-based servers and devices.

Let’s take a look.

Heartbleed (CVE-2014-0160)

CVSS 3.x Score: 7.5 (High)

Codenomicon discovered a critical buffer over-read OpenSSL ‘Heartbleed’ vulnerability while doing a routine test of its software. Heartbleed became one of the most serious bugs impacting servers utilizing OpenSSL for SSL management. This incident serves as a reminder that a single line of code can lead to critical bugs because only one coding error led to the Heartbleed vulnerability.

memcpy(bp, pl, payload);

The bp variable is a pointer that receives copied data, while the pl variable is a pointer to the source data. And the payload variable denotes the number of bytes to copy. Unfortunately, the developers overlooked validating the length of the payload variable, creating a vulnerability that attackers can exploit.

In this scenario, an attacker could send a payload of 8 bytes of data for the pl variable while maliciously assigning 64 bytes to the payload variable. Consequently, the affected software, OpenSSL, would transmit 64 bytes of data instead of the intended 8 bytes. The remaining bytes in memory could be private keys, passwords, user data, or anything else stored in the remaining length of bytes in memory. It’s important to note that Heartbleed was not a buffer overflow but an over-read issue. The lack of proper checks on the payload length resulted in an excessive read operation, exposing unintended data from memory.

OpenSSL can be recompiled with the -DOPENSSL_NO_HEARTBEATS parameter to address this issue before applying the patch. However, this approach may have unforeseen consequences for applications relying on an SSL heartbeat. Consequently, applications that depend on a heartbeat may experience crashes, error messages, or failure to function properly. Therefore, it is crucial to prioritize timely patching. 

KernelCare Enterprise allows administrators to patch OpenSSL without requiring a system reboot. This enables administrators to address the Heartbleed vulnerability while avoiding downtime or potentially risky mitigation methods.

Spectre and Meltdown (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)

CVSS 3.x Score: 5.6 (Medium)

What makes Spectre and Meltdown unique from most other CVEs is that they’re hardware issues rather than software-related problems. These vulnerabilities had a global impact, affecting almost every device and forcing Intel to change its processor manufacturing approach. Both vulnerabilities allow attackers to read memory running on the local device due to various failed privilege checks on the hardware. 

Meltdown exploits bypass privilege checks and Spectre tricks applications into accessing privileged memory. In both cases, an attacker gains access to operating system instructions from mapped physical memory with the kernel, which could include passwords, keys, and other sensitive data.

After the discovery, Intel made an announcement regarding changes in their processor manufacturing process to eliminate the vulnerability in new processors. Patches were also released to address the issue, although users experienced a significant decrease in performance, particularly on older machines. 

Two patches were released to mitigate the issue: Kaiser for Meltdown and the Retpoline patch for Spectre. The biggest problem with mitigation is that performance takes a major hit, and a reboot is required, but KernelCare applies patches for these two vulnerabilities with no reboot required. 

Mutagen Astronomy (CVE-2018-14634)

CVSS 3.x Score: 7.8 (High)

Mutagen Astronomy (an anagram for Too Many Arguments) is one of the highly critical issues that can only be exploited by a local user to gain root privileges on the Linux system. A buffer overflow in Linux’s create_elf_tables() function led to the privilege escalation. An attacker can overflow the MAX_ARG_STRINGS value used to limit arguments passed to the function and inject their own environment variables and functions using a SUID-root binary. 

The result is that an attacker can escalate privileges, run rogue functions on the local device, or inject their own environment variables. To see a breakdown of the vulnerable code, Qualys published its findings here.

It is important to note that this vulnerability not only requires the user to be on the local machine, but the attack also requires a device of more than 16 GB RAM running a 64-bit kernel. However, it’s a critical flaw and should be patched as soon as possible. The researchers at Qualys found that most Linux users are not affected, but the main targets vulnerable to this attack are RedHat and CentOS systems. RedHat published a workaround, but this still requires a reboot. 

Instead of applying a lengthy workaround, Linux servers running KernelCare will receive the patch, and no reboot is required.

Zombieload (Microarchitectural Data Sampling) CVE-2018-12207

CVSS 3.x Score: 6.5 (Medium)

Following the discoveries of Spectre and Meltdown, another hardware bug known as “Zombieload” was identified. Zombieload comprises a series of exploits that exploit the speculative instruction functionality of microprocessors. In an effort to enhance performance, processors attempt to cache future instructions that are likely to run next.

Zombieload and other Microarchitectural Data Sampling (MDS) attacks take advantage of failed protection boundaries surrounding this memory space and trick applications into divulging critical data.

To address this issue, you can take the following three steps for mitigation.

• Updating the microcode on the processor
• Disabling hyperthreading in the BIOS (manual instructions depend on your BIOS manufacturer)
• Patching the Linux kernel

Final Thoughts

Although not every Linux kernel vulnerability gets its own CVE, it’s critical for Linux administrators to regularly scan servers for vulnerabilities and patch them when a new one is found. The consequence of an unpatched system might be disastrous for the company and its reputation in each of the above cases.

TuxCare’s KernelCare Enterprise can patch all the above vulnerabilities without system reboots or downtime. With this solution, you can say goodbye to patching methods that are time-consuming, risky, create software usability issues, and only offer temporary solutions. 

With KernelCare, you get non-critical and critical patches applied to your servers as soon as they are available, and they are deployed in the background while your systems are running. There are no delays, no cumbersome workarounds, no scheduling of maintenance operations, no downtime, and – most importantly – no vulnerable openings for potential attackers.

KernelCare Enterprise patch information is available at patches.kernelcare.com.

Summary

Article Name

Linux Kernel Vulnerabilities to Know (and Mitigate Without Reboot)

Description

Learn about a recent Linux kernel vulnerability discovered in 2023 and solutions to mitigate it without rebooting.

Author

Rohan Timalsina

Publisher Name

TuxCare

Publisher Logo