Patch & Protect Yourself Against the New Linux Kernel Zero-Day Vulnerability
On January 19th, Perception Point disclosed a new Linux Kernel Zero-day Vulnerability patch that has the potential of affecting millions of users. The vulnerability affects any Linux operating system with kernel version 3.8+. In addition, Android device KitKat or higher are also affected, which is approximately 60% of the Android devices out on the market today. As such, the vulnerability has the potential of affecting millions of users.
If exploited, the vulnerability will allow a regular user to gain kernel level privileges, therefore it is a critical zero-day finding.
The list of Linux distros affected by this vulnerability is (according to a post on nixCraft):
- Red Hat Enterprise Linux 7
- CentOS Linux 7
- Scientific Linux 7
- Debian Linux stable 8.x (jessie)
- Debian Linux testing 9.x (stretch)
- SUSE Linux Enterprise Desktop 12
- SUSE Linux Enterprise Desktop 12 SP1
- SUSE Linux Enterprise Server 12
- SUSE Linux Enterprise Server 12 SP1
- SUSE Linux Enterprise Workstation Extension 12
- SUSE Linux Enterprise Workstation Extension 12 SP1
- Ubuntu Linux 14.04 LTS (Trusty Tahr)
- Ubuntu Linux 15.04 (Vivid Vervet)
- Ubuntu Linux 15.10 (Wily Werewolf)
- Opensuse Linux LEAP 42.x and version 13.x
- Oracle Linux 7
Even though it requires local access to exploit the vulnerability, the affected Linux distros are often used in the deployment of containers, which means a malicious container on the host can exploit the vulnerability and in turn take control over other containers on the same host.
Twistlock’s technologies, however, can easily catch any exploit attempting to take advantage of this newly discovered vulnerability, even though signatures are not yet available for potential exploits.
This is because our runtime defense capabilities do not require signatures. We automatically build runtime profiles of containers to identify potential anomalies or compromises. To catch exploits targeting this vulnerability, our function would utilize two behavior-detection capabilities
- Syscall anomaly: To exploit this vulnerability, the exploit requires calling a rarely used Linux syscall “keyctl“. In the environments that we protect, we scan every container image before they get deployed. The image scan analysis allows us to know exactly whether a particular container should be using this syscall. In runtime, when we see “keyctl” in the syscall activity, we would process its parameters to identify unusual patterns. This, combined with the fact that we know that this container should not be calling “keyctl“, we can therefore identify, with 100% certainty, that this is an exploit.
- Process anomaly: In addition, our technologies allow us to develop an allowed process map for every container. Since the exploit will fork new processes and may execute a shell command in the end with admin rights. We can detect the presence of these new processes and compare them with the expected process map automatically and detect the presence of unwanted processes and unwanted shells.
- Container Security
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Cryptomining Malware Emerges
I have been watching for the spread of malware that, primarily, uses c...
Calling the Twistlock API from PowerShell
The Problem This morning, a colleague was looking for situations where...
What Makes Distributed Security ‘Cloud Native’: Podcast Overview
I caught up with Scott Fulton III on this edition of The New Stack Mak...
Reflections on the 20th Anniversary of Open Source Technology
Exactly twenty years ago in February 1998, the term “open source” ...
Enhanced Syslog Data Streams: 2.3 Deep Dive
In each of our Twistlock releases, we publish some truly remarkable fe...