Always be yourself. Unless you can become Batman, then be Batman. Although this meme-based life philosophy is funny, it hints at a truth you may have started discovering recently. In a digitally transformed business world, threat actors treat the web application vulnerability landscape like a digital Gotham. To perpetrate their criminal activities, malicious actors focus on popular technologies, like Linux. As an open-source technology, Linux presents cybercriminals with additional benefits because they can access the source code, enabling them to do even more damage across the software supply chain.
As a developer, you can be both yourself and a Dark-Knight-inspired vigilante by mitigating the risks that Linux security vulnerabilities pose to your application’s security.
What is a Linux kernel security vulnerability?
A Linux kernel security vulnerability is a weakness within the operating system’s (OS’s) core component that manages resources and enables communication between software and hardware. These vulnerabilities can arise from the following:
- Coding errors
- Design flaws
- Unforeseen combinations of instructions
As an open-source operating system, security researchers and attackers actively hunt for potential vulnerabilities in the accessible source code.
What are the different types of threats on Linux systems?
As a versatile and powerful OS, Linux became popular for running web servers, applications, and other intensive workloads. Over the last few years, attackers have increasingly targeted Linux distributions:
- 2020: 56 new Linux-related malware families identified, a 40% year-over-year increase.
- 2021: LockBit Linux-ESKi ransomware identified
- 2022: Shikitega, BPFoor, Symbiote, Syslogk, OrBitand Lightning Framework malware identified
- 2023: ShellBot, P2PInfect, and Akira malware variants identified
To secure their applications, developers should consider the following when engaging in threat modeling:
- Unpatched kernel vulnerabilities: Exploiting known vulnerabilities undermines the Linux built-in security measures, especially on storage devices
- Botnets: Controlling devices by injecting them with malicious code through the compromised OS
- Denial of Service (DoS) attacks: Overwhelming the server’s operating system with too many requests, causing it to stop responding to legitimate requests
- Network intrusion: Exploiting vulnerabilities to escalate privileges for administrative access
Critical Linux security vulnerabilities to worry about
Between January and July 2023, researchers published 82 Linux security vulnerabilities with a criticality score of 7 or above. However, only 17 of those published vulnerabilities had an Exploit Prediction Scoring System (EPSS) probability of exploitation activity in the next 30 days of 0.05% or higher. Further, of those twelve only one appears to be a known exploited vulnerability.
Developers should ensure that they scan their code for the following vulnerabilities:
- CVE-2023-0266 Linux kernel use-after-free vulnerability (Known Exploited Vulnerability): Allows for privilege escalation to ain ring0 access from system user
- CVE-2023-2156: May allow for unauthenticated remote attacker to create DoS condition by using flaw in Linux kernel’s networking subsystem
- CVE-2023-1390: Results in CPU system utilization to spike to 100%, causing DoS condition
- CVE-2023-0210: Affects kernel’s authentication and known to crash OS
- CVE-2023-0045: Leaves victim vulnerable to values injected on BTB prior to prctl syscall with recommendation to upgrade past commit a664ec9158eeddd75121d39c9a0758016097fa96
- CVE-2023-3338: May allow remote users to crash the system by exploiting null pointer dereference flaw in DECnet networking protocol
- CVE-2023-2008: May allow for privilege escalation and arbitrary code execution through udmabuf device driver flaw, exiting within the fault handler
- CVE-2022-4379: Allows for remote DoS by exploiting use-after-free vulnerability in __nfs42_ssc_open() in fs/nfs/nfs4file.c
- CVE-2023-3269: Allows for arbitrary kernel code execution, container escalation, and root privilege through vulnerability in memory management subsystem
- CVE-2023-0122: Allows for Pre-Auth DoS attack on remote machine through NULL pointer dereference vulnerability in nvmet_setup_auth()
- CVE-2023-3776: Allows for local privilege escalation through reference counter control with recommendation to upgrade past commit 0323bce598eea038714f941ce2b22541c46d488f
- CVE-2023-3610: Allows for local privilege escalation with recommendation to upgrade past commit 4bedf9eee016286c835e3d8fa981ddece5338795
- CVE-2023-3609: Allows for local privilege escalation with recommendation to upgrade past commit 04c55383fa5689357bcdd2c8036725a55ed632bc
- CVE-2023-3312: Allows for DoS by exploiting cpufreq subsystem vulnerability in drivers/cpufreq/qcom-cpufreq-hw.c
- CVE-2023-1829: Allows privilege escalation to root with recommendation to upgrade past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
- CVE-2023-31248: Allows privilege escalation when `nft_chain_lookup_byid()` fails to check whether a chai is active and CAP_NET_ADMIN is in any user or network namespace
- CVE-2023-2007: Allows privilege escalation and remote code execution when combined with other vulnerabilities through flaw in DPT I2O Controller driver
- CVE-2023-2006: Allows privilege escalation and arbitrary code execution through flaw in RxRPC network protocol, within the processing of RxRPC bundles
Qwiet.ai: Finding the Real Threats through Reachability
As attackers increasingly target Linux vulnerabilities, you need visibility into the ones that can become true threats. Remediating 82 new vulnerabilities over 8 months is overwhelming, especially as researchers find more CVEs and you build more code. Even keeping up with the 18 vulnerabilities that attackers are likely to exploit can be challenging, especially as that number can change from one day to the next.
Qwiet AI’s preZero platform enables you to rapidly scan your code to identify vulnerabilities in source code and business logic. To help you prioritize your activities, you can focus on those vulnerabilities that attackers can actively exploit within the context of your application. Further, our Blacklight is the first threat intelligence feed designed to help developers prioritize fixes by focusing on the exploits, threat actors, ransomware, and botnet actively exploiting vulnerabilities in the wild.
Take our preZero platform for a spin for free to see for yourself how Qwiet AI can help you identify Linux security vulnerabilities.