Linux Vulnerabilities: The Antidote to This Linux Security Poison

Fall of August 1991: Linus Torvalds, a student at the University of Helsinki, creates an operating system as a hobby. The motive? Creating a free, open-source alternative to MINIX.

To quote his words: "Hello everybody out there using minix - I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu)..." 

Fast forward 30 years later and what was once started as a hobby is now one of the most powerful operating systems, powering billions of devices worldwide. This operating system, named Linux, now makes up almost 3.08% of all the operating systems used worldwide.

However, with great power comes even greater responsibilities. And Linux is no exception to this rule. As the backbone to a multitude of servers, workstations, kiosks, and other front-line devices throughout the globe, it is imperative for organizations to keep their Linux environments secure and up and running at all times. 

That's the ideal, but the reality isn't as simple, especially with over 1,050 vulnerabilities being detected in the Linux kernel in the last five years to date. 

What Are Some Common Types of Linux Vulnerabilities?

While Linux vulnerabilities are a growing problem for admins and IT teams, it is of great importance to understand common types of Linux vulnerabilities to be a step ahead in bolstering your network security against them. 

Here is a list of some common types of Linux vulnerabilities you should be familiar with:

Denial of Service (DoS) Vulnerabilities  

As the name suggests, denial of service (DoS) vulnerabilities can be exploited to carry out attacks that prevent the intended users from accessing their systems and services by shutting them down. For example, such attacks can prevent the account holders of a bank from accessing the bank's services.

DoS is generally achieved by overloading target systems with excessive traffic or sending them data that can potentially result in triggers, eventually causing a crash. 

Further, this form of attack is classified into specific types based on the attack vector, such as Ping of Death, Buffer Overflow, Teardrop, and SYN Flood. 

Remote Code Execution (RCE) Vulnerabilities 

One of the most common vulnerabilities by far, remote code execution (RCE) vulnerabilities can result in attacks allowing remote execution of malicious code on target systems. These bugs can cause full-scale attacks, allowing the attackers to gain full control over the exploited systems, thereby compromising entire web applications and web servers.  

Buffer Overflow Vulnerabilities 

Buffer overflow vulnerabilities are another common form of Linux vulnerability that can cause arbitrary code execution in target systems, thereby paving the way for threat actors to gain unauthorized access to the network.

This vulnerability occurs when programs attempt to place data in a memory region past a buffer. Such exploits are found in web and application servers and in custom web application code. 

Buffer overflow attacks can be classified into two types. In stack-based buffer overflows, malicious code is sent to applications storing data in a stack buffer. In heap-based buffer overflows, the malicious code floods the program's memory space, causing the heap memory data to be overwritten.

In addition, other common vulnerabilities affecting Linux systems include Cross-Site Scripting (XSS), Cross-site Request Forgery (CSRF), and SQL Injection. 

A Look Back at Linux Vulnerabilities & Their Impact

If we were to retrospect to the earliest Linux virus ever discovered, we would have to begin with Staog, discovered in 1996. Over the years, as the kernel's security matured, so did the methods of its exploitation.

While Staog reportedly did not contain a critical payload to damage systems, the newer Linux vulnerabilities are much deadlier. From leakage of data and information to memory corruption in the affected systems, these vulnerabilities pose threats that can be deadly to an enterprise's security as well as its normal operations. 

Following the trail, here's a look at some of the most notorious Linux vulnerabilities discovered in the past.

CVE-2022-47939 

In the second half of 2022, Zero Day Initiative—an international software vulnerability initiative—identified this vulnerability in the ksmbd file server module of the Linux kernel. This vulnerability was rated to be of Critical severity, owing to its CVSSv3 score of 10.0.

Primarily related to the faulty use of dynamic memory allocation, a.k.a, the use-after-free vulnerability, it allowed unauthenticated, remote threat actors to execute code on systems that had ksmbd enabled. 

Fortunately, this bug could not spread its talons and cause much destruction since ksmbd was disabled by default in most Linux distros. However, certain versions of Debian and Ubuntu were affected by the bug but had the fixes released in the subsequent versions. 

CVE-2022-25636

Another vulnerability with a High severity was made public in February 2022 that affected the Linux kernel by leveraging a heap out-of-bounds write error, particularly in nft_fwd_dup_netdev_offload in net/netfilter/nf_dup_netdev.c—a netfilter subcomponent of the kernel that enables the implementation of various networking-related operations.

Typically, out-of-bounds errors occur in software in case the program writes a code outside its allocated memory area. This vulnerability affected Red Hat Linux versions 8.3 and above as well as certain Debian versions and eventually lead to system crashes or elevation of privileges.   

CVE-2022-0847 

2022 was certainly a busy year for IT admins, specifically those managing Linux-based networks; Dirty Pipe is just another example proving that point.

CVE-2022-0847, a.k.a Dirty Pipe, was detected on March 7, 2022. The impact of this vulnerability was the escalation of local privileges in Linux kernel versions 5.8 and above; in simple terms, this vulnerability allowed threat actors to overwrite files even with just read-only permissions, which means malicious applications could gain full control over the system. 

Primarily affecting Android devices, Dirty Pipe was assigned a High severity owing to its CVSSv3 score of 7.8. If you're wondering why "Dirty Pipe" of all names, it's because the Linux kernel processes data (reads, writes, and distributes) via pipes. So, by leveraging the Dirty Pipe vulnerability, malicious actors could modify data in the system files and exploit them. 

CVE-2021-4034 

Last but not least in the pipe of Linux vulnerabilities comes another local privilege escalation vulnerability in Polkit, an authentication framework that controls system-wide privileges. This vulnerability, with a CVSSv3 score of 7.8 (High severity), was detected in the pkexec application.

First detected in 2022, this vulnerability managed to stay hidden for over 12 years, even though it affected all versions of pkexec since its initial release in May 2009. 

This vulnerability affected several popular Linux distros, such as Debian, Fedora, CentOS, and even Ubuntu, and threat actors were able to obtain full root privileges on the default installations of these distros. 

How Can I Safeguard My Linux-Based Network from Exploits & Vulnerabilities?

As enterprises’ digital footprint grows, so do the threats and vulnerabilities to their network assets. A slight slip or a little oversight, and the next moment their network security tumbles down, falling prey to the persistent attacks of cybercriminals. 

Hence, it is of paramount importance to strategize and develop proactive measures to fend off these vulnerabilities and attacks. Below are some tips and best practices to follow to secure your Linux-based network and systems.

Leverage Linux Kernel Lockdown 

Restricting access to the features and data structures of the Linux kernel by leveraging Linux Kernel lockdown is one of the most powerful ways to secure Linux systems. Once enabled, this prevents:

• Any unprivileged access to the Linux systems and their kernel memory. 
• Unsigned kernel modules from being loaded. 
• Secure boot restrictions from being overridden.

Regularly Audit Open Ports 

Ports are the most essential component for all Internet-facing activities. However, they are also one of the easiest doorways for threat actors to creep in and exploit the network, in the case that these ports are left open unintentionally or accidentally.

Some common causes of this mistake are when an admin opens a specific port to perform an action but forgets to close it, or when installed software changes the firewall configuration and keeps certain ports open.

Hence, it is highly important to perform port audits at regular intervals to check for open ports and close the ones that aren't supposed to be left open immediately. 

Perform Regular Security Audits 

Performing regular audits is one of the most foolproof ways to secure your Linux network. By using the Linux Auditing System, admins can audit the kernel and collect important logs on system activities. These logs provide admins with critical insights into the security and stability of their systems.

Ensure Timely Patching of Your OS & software 

When it comes to fending off vulnerabilities in your network, patch management for your operating system and third-party applications is always a prerequisite. The above-mentioned instances of vulnerabilities in Linux stand as proof that networks are in danger, not just from third-party vulnerabilities but also from the ones camping in the kernel.

With vulnerabilities growing at an alarming pace over the years, manually scanning the network for vulnerable distros or third-party applications is just the final nail in the coffin. Combating this exponential growth demands automation—specifically, an automated patch management software that scans the network, detects vulnerable components, and deploys mitigations almost instantaneously. 

ManageEngine Patch Manager Plus checks all the boxes when it comes to safeguarding your network from Linux vulnerabilities, be it applications or the operating system as a whole. Right from a single console, this solution lets you automate the patching process for your network and deploy patches to all major Linux distros as well as Windows, macOS, and over 850 third-party applications.

What's more? Integrating a third-party vulnerability scanning solution, such as Tenable, is easy-breezy with Patch Manager Plus, enabling real-time vulnerability monitoring and mitigation across the entire network.

Don't take our word for it. Try out the fully functional, 30-day, free trial of Patch Manager Plus, and see how easy it can be to thwart Linux vulnerabilities in your network.

Final Thoughts on Protecting Against Linux Vulnerabilities 

Securing your Linux systems against the plethora of vulnerabilities that exist is no longer a choice, but a necessity. To sum up, there isn't just a single antidote to Linux vulnerabilities. 

Rather, it is a set of proactive measures that include kernel hardening, constant network monitoring, audits of misconfigurations and open ports in the network, and regular patch deployments to keep systems updated. 

To better secure your network via proactive patching, you can take a look at the best practices for automating the deployment of patches to your Linux systems.