Search This Blog

Showing posts with label Linux Kernel. Show all posts

 New Linux Malware Syslogk has a Clever Approach of Staying Undetected

 

Syslogk, a newfound clever form of Linux malware, installs a backdoor that remains hidden on the target device until its controller sends so-called 'magic packets' from anywhere on the internet. It is mostly based on Adore-Ng, a Chinese open-source kernel rootkit for Linux. 

Adore-Ng which has been around since 2004, is a free open-source rootkit, that gives an attacker complete control over an infected system. Syslogk can force-load its packages into the Linux kernel (versions 3. x are supported), hide folders or spoof files and network traffic, and ultimately load a backdoor named 'Rekoobe.' 

How does the malware work?

Syslogk was originally discovered in early 2022, with the sample constructed for a specific kernel version – meaning it could be loaded without being forced – and the payload named PgSD93ql, which disguised it as a PostgreSQL file. 

"Rekoobe is a piece of code that has been placed in genuine servers," according to Avast security researchers. "In this case, it's embedded in a phony SMTP server that, when given a specially designed command, spawns a shell." 

The rootkit was created to hide harmful files, malicious software, and its malicious payload from showing on the list of operating services, to deliver the malicious payload when it received a specially constructed TCP packet, and to halt the payload if the attacker directed it to. 

Rekoobe appears to be a harmless SMTP server, but it is built on an open-source project called Tiny SHell, so it contains a backdoor command for generating a shell that allows it to run arbitrary instructions for data mining. Despite the restricted support for Linux kernel versions, Avast claims that using Syslogk and Rebooke on a bogus SMTP server gives an attacker a strong toolkit. 

The Syslogk rootkit is yet one piece of highly evasive malware for Linux systems, joining the likes of Symbiote and BPFDoor, which both exploit the BPF system to monitor and dynamically change network traffic. Ransomware campaigns, crypto attacks, and other data theft illicit behavior are increasingly being launched against Linux systems and cloud infrastructure making it a vulnerable target. 
 
As in the case of Syslogk, the initiative is in its early stages of development, so it's unclear whether it'll become a wide-scale threat. However, given its secrecy, it will almost certainly continue to release new and improved versions.

Several QNAP NAS Devices are Vulnerable by Dirty Pipe Linux Bug

 

The "Dirty Pipe" Linux kernel weakness – a high-severity vulnerability that offers root access to unprivileged users with local access in all major distros – affects a majority of QNAP's network-attached storage (NAS) appliances, the Taiwanese company stated. 

The Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x, according to QNAP, is affected by Dirty Pipe, a recently revealed local privilege-escalation vulnerability. A local user with no access can get admin privileges and insert malicious code if this vulnerability is exploited. 

The flaw was identified and reported eight days ago by Max Kellermann of CM4all, a security researcher. The vulnerability, which has been identified as CVE-2022-0847, has been present in the Linux kernel since version 5.8. Fortunately, Linux kernels 5.10.102, 5.15.25, and 5.16.11 have been updated to address the issue. 

However, as Linux news site Linuxiac points out, Dirty Pipe is just not simply a threat to Linux machines: because Android is built on the Linux kernel, any device running version 5.8 or later is vulnerable, putting a large number of people at risk. For example, Linuxiac cited the Google Pixel 6 and Samsung Galaxy S22: the widely used phones run on Linux kernel 5.10.43, making them susceptible.

"QNAP will hopefully deliver a kernel update for the vulnerability soon," Mike Parkin, a highly experienced engineer at Vulcan Cyber. "This is the storage device vendor's second recent incident," Parkin further pointed out in an email.

NAS devices that allow authorized users and customers to store and retrieve data from a single location boost productivity by providing cloud computing capabilities inside networks, according to Schless. Dirty Pipe has been compared to Dirty Cow by some; an older privilege escalation flaw (CVE-2016-5195) which has been in Linux for nine years — since 2007 – before it was publicly exploited in 2016 against web-facing Linux servers.

Dirty Pipe is a lot like Dirty Cow, except it's a lot worse as it's easy to take advantage of. According to Parkin, the vulnerability's mitigating element is whether it requires local access, which reduces the danger marginally. The Dirty Pipe flaw has also been fixed in the newest Linux kernel code. Furthermore, patches for the major distributions are expected to be available soon.

 'Dirty Pipe' Kernel Bug Enables Root Patched via Linux Distros

 

Dirty Pipe is a Linux local privilege escalation problem that has been found and publicly released, together with proof-of-concept vulnerability. The 'Dirty Pipe' vulnerability was responsibly disclosed by security researcher Max Kellermann, who indicated it impacts Linux Kernel 5.8 and later versions, as well as Android devices. 

CVE-2022-0847 is a weakness in the Linux kernel which was introduced in version 5.8 and resolved in versions 5.16.11, 5.15.25, and 5.10.102.

Kellerman discovered the flaw while investigating a bug that was causing one of his customer's web server access records to be corrupted. The vulnerability, according to Kellerman, is similar to the Dirty COW vulnerability (CVE-2016-5195), which was addressed in 2016.

A bug in the kernel's pipe handling code allows a user program to rewrite the information of the page cache, which ultimately makes its way into the file system, thanks to a refactoring error. It is identical to Dirty COW, but it is relatively easier to use. 

While using Linux, check for and install security updates from the distro. Wait for Google (and maybe your maker and/or carrier) to send you an update if you're using Android; because it runs a kernel older than 5.8, the current version of Android for the Google Pixel 6 and the Samsung Galaxy S22 is currently in jeopardy. 

Kellerman revealed a proof-of-concept (PoC) vulnerability as part of the Dirty Pipe disclosure which essentially allows users to inject their own content into sensitive read-only files, removing limitations or modifying settings to provide wider access than they would normally have. 

However, security researcher BLASTY disclosed an improved vulnerability today which makes gaining root privileges easier by altering the /usr/bin/su command to dump a root shell at /tmp/sh and then invoking the script. 

Starting on February 20th, 2022, the vulnerability was responsibly revealed to several Linux maintainers, including the Linux kernel security team and the Android Security Team. Despite the fact that the defect has been resolved in Linux kernels 5.16.11, 5.15.25, and 5.10.102, numerous servers continue to use outdated kernels, making the release of this vulnerability a major concern for server admins. 

Furthermore, due to the ease with which these vulnerabilities may be used to acquire root access, it will only be a matter of time before threat actors start exploiting the vulnerability in upcoming attacks. The malware had previously used the comparable Dirty COW vulnerability, which was more difficult to attack.  

This flaw is particularly concerning for web hosting companies that provide Linux shell access, as well as colleges that frequently provide shell access to multi-user Linux systems. It has been a difficult year for Linux, with a slew of high-profile privilege-escalation flaws exposed.

Linux Kernel Detected With New Side-Channel Vulnerability

 

The latest research work published by a group at the University of California, Riverside, demonstrates the existence of formerly unnoticed side channels in Linux kernels that can be used to attack DNS servers. 

As per the researchers, the problem with DNS stems from its design, which never prioritized security and made it incredibly difficult to retrofit robust security features into it. 

Although DNS security capabilities such as DNSSEC and DNS cookies are available, they are not generally used owing to backward compatibility, according to the researchers. However, the only way to make DNS more secured has always been to randomize UDP ports, known as ephemeral ports, intending to make it more difficult for an intruder to find them.

As a consequence, various DNS attacks have been reported in the past, including the recently revealed SAD DNS, a variation of DNS cache poisoning which allows an attacker to insert harmful DNS records into a DNS cache, routing all traffic to their server and then becoming a man-in-the-middle (MITM). Subsequently, a few of the researchers that first reported SAD DNS discovered side-channel vulnerabilities in the Linux kernel that had gone unnoticed for over a decade. 

The study focuses on two forms of ICMP error messages: ICMP fragment required (or ICMP packet too large in IPv6) and ICMP redirect. The Linux kernel analyzes the messages, as demonstrated by the researchers, utilizing shared resources that constitute side channels. 

Essentially, this means that an attacker might send ICMP probes to a certain port. If somehow the targeted port is correct, there will be some modification in the shared resource state which can be detected indirectly, validating the correctness of the estimate. An attack, for example, may reduce a server's MTU, resulting in fragmented future answers. 

According to the investigators, the newly found side channels affect the most popular DNS software, like BIND, Unbound, and dnsmasq operating on top of Linux. An approximate 13.85% of open resolvers are impacted. Furthermore, the researchers demonstrate an end-to-end attack against one of the most recent BIND resolvers and a home router that just takes minutes to complete. 

This unique attack can be avoided by configuring suitable socket options, such as asking the operating system not to accept ICMP frag required messages, which eliminates the side-channel; randomizing the kernel shared caching structure itself, and refusing ICMP redirects. As a result of the revelation of this new vulnerability, the Linux kernel has indeed been fixed to randomize the shared kernel structure for both IPv4 and IPv6.

Critical Flaws Discovered in Linux that Enables DNS Cache Poisoning

 

Researchers at the University of California have unearthed security flaws in the DNS system that could leave vendors at risk of server attacks. 

The hackers can abuse the vulnerability by intercepting the connection from the DNS resolver to the nameserver, thus allowing them to change the server IP addresses linked to several web domains, researchers Keyu Man, Xin’an Zhou, and Zhiyun Qian wrote in a recently published research paper at the ACM CCS 2021 conference. 

"The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache," University of California researchers stated. "SAD DNS attack allows an attacker to redirect any traffic (originally destined to a specific domain) to his own server and then become a man-in-the-middle (MITM) attacker, allowing eavesdropping and tampering of the communication." 

The central to the assault is how Linux manages DNS queries on servers, particularly Internet Control Message Protocol (ICMP) packets. The researchers discovered that these behaviors could be used to infer the User Datagram Protocol (UDP) port number between the resolver and nameserver, something that is otherwise randomized and seems impossible to guess. 

"Surprisingly, we uncover novel side channels that have been lurking in the Linux network stack for over a decade and yet were not previously known," the trio explained in their paper, adding that as much as 38% of DNS resolvers are susceptible to attacks.

However, researchers warned that Linux is not the only threat vector for this assault. "The side channels affect not only Linux but also a wide range of DNS software running on top of it, including BIND, Unbound, and dnsmasq." 

This particular research was based on a previous set of attacks the researchers uncovered and dubbed "SADDNS." The SADDNS research demonstrated how the rate limit on the UDP system could be used to infer the port for the nameserver connection. DNS cache poisoning was originally discovered by the late Dan Kaminsky in 2008. 

"In SADDNS, the key insight is that a shared resource, i.e., ICMP global rate limit shared between the off-path attacker and victim, can be leveraged to send spoofed UDP probes and infer which ephemeral port is used," researchers stated. "Unfortunately, it is unclear how many more such side channels exist in the network stack." 

To mitigate the risks, the researchers propose a number of solutions, such as randomizing the caching structure, rejecting ICMP redirect messages, and setting proper socket options such as IP_PMTUDISC_OMIT, which instructs an operating system to ignore so-called ICMP messages, and therefore completely mitigates the side channel-related processing in the kernel.

Google to Pay $31,337 to Hackers for Linux Kernel Exploitation

 

Google reportedly is rewarding the bug bounty hunters who uncovered and exploited privilege escalation bugs in the Linux kernel. 

Google intends to pay US$31,337 for privilege escalation attacks based on a previously fixed vulnerability, and $50,337 for a zero-day kernel issue or perhaps a unique exploitation approach during the following three months. 

These amount to a treble of Google's bug bounty payouts and are intended to incentivize hackers to reveal zero-day exploits or mitigation bypasses for Linux kernel flaws with significant security repercussions. 

Google is continually investing in the security of the Linux Kernel since it is critical to the safety of the internet and Google—from the gadgets in your pockets to the services running on Kubernetes in the cloud. Researchers investigate its flaws and attacks, as well as examine and improve its defenses. 

“We hope the new rewards will encourage the security community to explore new Kernel exploitation techniques to achieve privilege escalation and drive quicker fixes for these vulnerabilities,” Google said in a note announcing the program. 

Google stated that the base price for exploiting a publicly fixed vulnerability is $31,337 (at most one exploit for every vulnerability), with the payout increasing to $50,337 in two cases: 

  • If the bug in the Kernel was somewhat unpatched (0day). 
  • If Google determines that the exploit employs a novel attack or approach. 

Google is managing the new rewards in a specific CTF-style lab environment, and the simplest exploitation primitives are not available owing to strengthening done on Container-Optimized OS. According to the business, the initiative supplements the existing Android vulnerability rewards program, so exploits that operate on Android may also be considered for up to $250,000.

$100 Million Pledged by Google to Groups that Manage Open-Source Projects

 

Google recently announced a $100 million donation to organizations that manage open-source security priorities and assist with vulnerability fixes, and it has now revealed eight of the projects it will fund. The Linux Foundation recently stated that it will directly support persons working on open-source project security. Google, Microsoft, the Open Source Security Foundation, and the Linux Foundation Public Health Foundation have all endorsed it. When problems are discovered, the Linux Foundation coordinates fixes. 

The foundation and its colleagues will use the Open Source Technology Improvement Fund's (OSTIF) security assessments to hunt for previously discovered problems. Two Linux kernel security audits are among these initiatives. 

The Open Source Technology Improvement Fund is a non-profit corporation committed to improving the security of open-source software. OSTIF makes it simple for projects to dramatically improve security by enabling security audits and reviews. 

"Google's support will allow OSTIF to launch the Managed Audit Program (MAP), which will expand in-depth security reviews to critical projects vital to the open-source ecosystem," said Kaylin Trychon, a security comms manager on the Google Open Source Security team.

OSTIF selected 25 essential projects for MAP, which were then prioritized to determine the eight that will get Google funding. Trychon explains that the eight chosen projects, which include libraries, frameworks, and applications, were chosen because enhancing their security will have the most influence on the open-source ecosystem. 

Along with five other Java-related projects, these eight projects include Git, a prominent version control software, Lodash, a JavaScript utility library, and Laravel, a PHP web application framework. Git, the "de facto" version control software established by Linux kernel founder Linus Torvalds and which forms the backbone of platforms like GitHub and GitLab, is perhaps the largest of the eight audit projects Google is sponsoring. 

Well-known systems and tools used by developers, such as the Drupal and Joomla web content management systems, webpack, reprepro, cephs, Facebook-maintained React Native, salt, Gatsby, Google-maintained Angular, Red Hat's Ansible, and Google's Guava Java framework, are among the projects with funding pending support. 

Google made a $10 billion commitment to boosting zero-trust programmes, securing software supply chains, and enhancing open-source security following a meeting between US President Joe Biden and leading US tech corporations last month.

Exploit Code Released for a Critical Flaw in Linux Kernel eBPF on Ubuntu Machines

 

Cybersecurity researcher Manfred Paul revealed the details of the code for abusing a critical flaw in the Linux eBPF (Extended Berkeley Packet Filter) kernel on Ubuntu devices. Tracked as CVE-2021-3490, this is a high-severity vulnerability that allows local attackers to exploit Ubuntu devices with relative ease. 

eBPF is a kernel technology that allows user-supplied programs to operate without having to alter the kernel source code or adding additional modules. In other words, this is a lightweight virtual machine within the Linux kernel where programmers can run BPF bytecode that takes advantage of specific kernel resources.

The flaw was disclosed in May by Manfred Paul of the RedRocket CTF team and Trend Micro Zero Day Initiative (ZDI). The issue consists of the fact that user-supplied programs do not go through a proper validation process before they’re executed. If properly exploited, a local attacker could get kernel privileges to run arbitrary code on the machine. 

Valentina Palmiotti, a security researcher at Grapl, explained the technical details of this flaw and its exploitation on Ubuntu short-term releases 20.10 (Groovy Gorilla) and 21.04 (Hirsute Hippo). The researcher created a proof-of-concept exploit code for CVE-2021-3490 and published it on GitHub.

Palmiotti published the report this week which covers the specifics for triggering the bug to leverage it for elevated privileges and to create a denial-of-service (DoS) condition on the target system by locking up all available kernel threads.

Earlier this year, Microsoft announced a new open-source job referred to as ebpf-for-windows that allows developers to make use of the eBPF innovation on leading of Windows. This would certainly be actually attained through incorporating a being compatible coating for existing eBPF projects so they may operate as submodules in Windows 10 and also Windows Server. 

Porting eBPF to Windows is still an early job with a lot of development ahead of it. Palmiotti’s research on CVE-2021-3490 was limited to Linux implementation. 

Microsoft designed the PoC for Groovy Gorilla kernels 5.8.0-25.26 through 5.8.0-52.58, and Hirsute Hippo kernel version 5.11.0-16.17. Patches were actually launched for each Ubuntu model.

A Trio of Vulnerabilities in the Linux Kernel Can Give Attackers Root Privileges

 

Linux kernel distributions appear explicitly susceptible to recently uncovered vulnerabilities. In the iSCSI module, which is used for viewing shared data storages, three unearthed vulnerabilities in the Linux kernel would provide administrative privileges to anybody with a user account. Since 2006, the Linux code has no identification of the trio of defects – the CVE-2021-27363, CVE-2021-27364, and CVE-2021-27365 – until GRIMM researchers found them. 

“If you already had the execution on a box, either because you have a user account on the machine, or you’ve compromised some service that doesn’t have repaired permissions, you can do whatever you want basically,” said Adam Nichols, principal of the Software Security practice at GRIMM. 

Although the vulnerabilities that are in code, are not functional remotely, therefore they are not remote exploits but are still troubling. They take “any existing threat that might be there. It just makes it that much worse,” he explained. Referring to the concept that "many eyes make any bug shallow," Linux code doesn't get many eyes so that it seems perfect. But while the code was first published, the bugs have been there, even in the last fifteen years they haven't really modified. 

GRIMM researchers, of course, are trying to dig in to see how often vulnerabilities occur where possible – with open source, a much more feasible solution. It's very much related to the extent of the Linux kernel that the defections drifted away. "It gotten so big," Nichols said, "there's so much code there." “The real strategy is making sure you’re loading as little code as possible.” 

Nichols said that bugs are present in all Linux distributions, but kernel drivers are not enabled by default. If the vulnerable kernel module can be loaded by a regular user or not, may vary. For example, they could be checked by GRIMM in all Red Hat distros. "Even though it's not loaded by default, you can load it and you can exploit it without any trouble," added Nichols. 

Although the hardware is present, other systems such as Debian and Ubuntu “are in the same boat as Red Hat, where the user, depending on what packages are installed, can coerce it into getting loaded; then it’s there to be exploited,” he said. Errors are reported in 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260. The bugs are not included in the following updates. Although all the old kernels are end-of-life and will not be patched. 

Nichols suggests that the Kernel must be blacklisted as a temporary measure to neutralize defects. “Any system that doesn’t use that module can just say never load this module under any circumstances, and then you’re kept safe,” he said. But “if you’re actually using iSCSI, then you wouldn’t want to do that.”

Unpatched Linux Kernel Vulnerabilities Could Be Exploited For Local Dos




As of late two denial-of-service (DoS) vulnerabilities evaluated as ones with Medium severity, affected the Linux kernel 4.19.2 in addition to its previous versions. The two defects are NULL pointer deference issues that can be misused by even a local attacker if he or she wishes to trigger a DoS condition.

Tracked as CVE-2018-19406, the primary issue was observed to dwell in a Linux kernel function called kvm_pv_send_ipi, which is characterized in curve/x86/kvm/lapic.c. The defect is activated when the Advanced Programmable Interrupt Controller (APIC) delineate is not initialized correctly.
To abuse the security defect, a local attacker can utilize the already 'crafted' system calls to achieve a circumstance where the apic delineate remains uninitialized.

In a published blog post the Linux contributor Wanpeng Li reports:
“The reason is that the apic map has not yet been initialized, the testcase triggers pv_send_ipi interface by vmcall which results in kvm->arch.apic_map is dereferenced”

The second vulnerability, which has been doled out the CVE number CVE-2018-19407, impacts the vcpu_scan_ioapic function that is characterized in curve/x86/kvm/x86.c. The bug is activated when I/O Advanced Programmable Interrupt Controller (I/O APIC) does not instate effectively.

Further adds the security advisor “the vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.”

“The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr and triggers scan ioapic logic to load synic vectors into EOI exit bitmap. However, irqchip is not initialized by this simple testcase, ioapic/apic objects should not be accessed,” reads the analysis published by Wanpeng Li.

Albeit informal patches for the two blemishes were discharged in the informal Linux Kernel Mailing List (LKML) archive, however despite everything they haven't been pushed upstream.