Patch & Protect Yourself Against the New Linux Kernel Zero-Day Vulnerability
On January 19th, Perception Point disclosed a new Linux Kernel Zero-day Vulnerability patch that has the potential of affecting millions of users. The vulnerability affects any Linux operating system with kernel version 3.8+. In addition, Android device KitKat or higher are also affected, which is approximately 60% of the Android devices out on the market today. As such, the vulnerability has the potential of affecting millions of users.
If exploited, the vulnerability will allow a regular user to gain kernel level privileges, therefore it is a critical zero-day finding.
The list of Linux distros affected by this vulnerability is (according to a post on nixCraft):
- Red Hat Enterprise Linux 7
- CentOS Linux 7
- Scientific Linux 7
- Debian Linux stable 8.x (jessie)
- Debian Linux testing 9.x (stretch)
- SUSE Linux Enterprise Desktop 12
- SUSE Linux Enterprise Desktop 12 SP1
- SUSE Linux Enterprise Server 12
- SUSE Linux Enterprise Server 12 SP1
- SUSE Linux Enterprise Workstation Extension 12
- SUSE Linux Enterprise Workstation Extension 12 SP1
- Ubuntu Linux 14.04 LTS (Trusty Tahr)
- Ubuntu Linux 15.04 (Vivid Vervet)
- Ubuntu Linux 15.10 (Wily Werewolf)
- Opensuse Linux LEAP 42.x and version 13.x
- Oracle Linux 7
Even though it requires local access to exploit the vulnerability, the affected Linux distros are often used in the deployment of containers, which means a malicious container on the host can exploit the vulnerability and in turn take control over other containers on the same host.
Twistlock’s technologies, however, can easily catch any exploit attempting to take advantage of this newly discovered vulnerability, even though signatures are not yet available for potential exploits.
This is because our runtime defense capabilities do not require signatures. We automatically build runtime profiles of containers to identify potential anomalies or compromises. To catch exploits targeting this vulnerability, our function would utilize two behavior-detection capabilities
- Syscall anomaly: To exploit this vulnerability, the exploit requires calling a rarely used Linux syscall “keyctl“. In the environments that we protect, we scan every container image before they get deployed. The image scan analysis allows us to know exactly whether a particular container should be using this syscall. In runtime, when we see “keyctl” in the syscall activity, we would process its parameters to identify unusual patterns. This, combined with the fact that we know that this container should not be calling “keyctl“, we can therefore identify, with 100% certainty, that this is an exploit.
- Process anomaly: In addition, our technologies allow us to develop an allowed process map for every container. Since the exploit will fork new processes and may execute a shell command in the end with admin rights. We can detect the presence of these new processes and compare them with the expected process map automatically and detect the presence of unwanted processes and unwanted shells.
- Container Security
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
AWS Fargate Security: Runtime Defense with Twistlock 2.5Read the Blog
Cloud Native Forensics: Security Incident Response in Twistlock 2.5Read the Blog
Announcing Twistlock 2.5: GA Release NotesRead the Blog
GitOps 101: What Is GitOps, and Why Would You Use It?Read the Blog
DevSecOps Learning Resources: How to Learn to Do DevSecOpsRead the Blog