Recommended Action for Linux Kernel Vulnerability

Recently, a critical zero day vulnerability in a Linux kernel module was publicized. If successfully exploited on a Linux device, this vulnerability would allow an attacker to potentially execute arbitrary code with escalated privileges.

Devices running Linux kernel 3.8 or higher are potentially vulnerable to this bug, meaning millions of Linux devices and around two thirds of all Android devices are potentially affected. Relevant IoT devices could be vulnerable as well. At time of writing, there have been no publicized observations of exploits against this vulnerability in the wild. Given the sheer number of possible devices vulnerable, we advised all of our customers to review their systems for the vulnerability and mitigate with the appropriate steps detailed below.

Vulnerability Details

The vulnerability, CVE-2016-0728, resides in the Linux kernel’s key retention service provided by a module that allows a process to store security information. Specifically, the bug can be exploited by a process making repeated calls to the keyctl system call where vulnerable code does not check for an integer overflow. If the counter is reset to zero, the kernel will then free the keyring object in memory where an attacker could then attempt an use-after-free attack.

When a process makes a keyctl call with a session key already in use, the Linux kernel will then increment a reference count (available to view in /proc/keys). This counter is a 32-bit integer, even on 64 bit systems. When the counter overflows, effectively returning to zero, the kernel will free the object and a malicious program may insert a crafted object running under escalated privileges.

In order to exploit this vulnerability, an attacker would need the ability to make keyctl calls on the target host. The attacker would also need to make 2^32-1 calls to keyctyl in order to reset the counter, then free the kernel object where the attacker could then leverage function pointers in the struct key_type object for remote code execution under escalated privileges. The researchers at Perception Point, who revealed this vulnerability, noted this exploit took some 30 minutes to run on an Intel Core i7-5500 CPU.

Click here for a more detailed technical description of this kernel service.

We recommend a careful review of all Linux based devices on your network that are using kernel version 3.8 or higher, specifically with “enable access key retention support” enabled. Wherever possible, vulnerable kernels should be patched immediately. Multiple versions of various Linux distributions, to include Red Hat Enterprise Linux 7, CentOS Linux 7, and Debian Linux 8.x and 9.x, are potentially vulnerable. Here’s a guide on which distributions have readied a patch and how to install.

Sandworm – Microsoft Windows Zero-day Vulnerability

What is it?

CVE-2014-4114 (aka “Sandworm”): A zero-day vulnerability that allows an attacker to remotely execute arbitrary code.

Who is vulnerable?

Sandworm is a zero-day impacting all versions of Microsoft Windows from Vista SP2 up to Windows 8.1, as well as Windows Server 2008 and 2012.

Where has it been seen?

Used in Russian cyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors.

How does it work?

Non-technical: opening a specially crafted file will allow the remote code execution. This has been seen with Powerpoint files in the wild.

Technical: “The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources. This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands.”
[copied from source: ]

Additional Notes:

Microsoft classified MS14-060 as “important”, not “critical”, because the attack requires a user to open a file.

Security Operations Center Recommendations:

Update all vulnerable systems as soon as possible. Microsoft Bulletin MS14-060 fixes this bug:

Additionally, Microsoft has released a total of eight security bulletins and updates that address them as of October 14, 2014. In total, 24 vulnerabilities are addressed in the updates. Three of them are classified as critical. More information can be found here:

Shellshock/Bash Vulnerability

Shellshock/Bash is a major new vulnerability that affects Unix, Linux and Mac users. This remote code execution vulnerability exists in almost every version of the GNU Bourne Again Shell (Bash). See CVE-2014-6271 in National Vulnerability Database:

Description of CVE-2014-6271:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in
OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

In our assessment, attacks over the internet via HTTP by worms or scripts are the biggest risk to organizations. A sample of HTTP attacks can be found at the following location:

Vulnerable Software and Versions:

* cpe:/a:gnu:bash:1.14.0
* cpe:/a:gnu:bash:1.14.1
* cpe:/a:gnu:bash:1.14.2
* cpe:/a:gnu:bash:1.14.3
* cpe:/a:gnu:bash:1.14.4
* cpe:/a:gnu:bash:1.14.5
* cpe:/a:gnu:bash:1.14.6
* cpe:/a:gnu:bash:1.14.7
* cpe:/a:gnu:bash:2.0
* cpe:/a:gnu:bash:2.01
* cpe:/a:gnu:bash:2.01.1
* cpe:/a:gnu:bash:2.02
* cpe:/a:gnu:bash:2.02.1
* cpe:/a:gnu:bash:2.03
* cpe:/a:gnu:bash:2.04
* cpe:/a:gnu:bash:2.05
* cpe:/a:gnu:bash:2.05:a
* cpe:/a:gnu:bash:2.05:b
* cpe:/a:gnu:bash:3.0
* cpe:/a:gnu:bash:3.0.16
* cpe:/a:gnu:bash:3.1
* cpe:/a:gnu:bash:3.2
* cpe:/a:gnu:bash:3.2.48
* cpe:/a:gnu:bash:4.0
* cpe:/a:gnu:bash:4.0:rc1
* cpe:/a:gnu:bash:4.1
* cpe:/a:gnu:bash:4.2
* cpe:/a:gnu:bash:4.3

What Should You Do?

1. If you are a user of our ProSCAN/Qualys Vulnerability scanning service, please contact us to schedule an emergency scan.
2. If you are using another vulnerability scanning tool, follow your vendor’s instructions.
3. Use official repositories to upgrade to the current release.
4. Verify with your vendors that this vulnerability has been patched.

What Else is Proficio Doing?

Proficio has patched any vulnerable systems within our own infrastructure. We are actively gathering indicators of attack and compromise and looking to apply detection indicators into our monitoring service.

Please feel free to contact us to discuss the best action for your organization.