This post is part of a regular series on Oracle Ksplice’s Known Exploit Detection. For selected security vulnerabilities, not only will Ksplice fix the code error, Ksplice will also lay down tripwires to detect attempts to exploit those fixed vulnerabilities. Known Exploit Detection allows system administrators to report and alarm on future attempts to exploit that vulnerability even after the system has been patched.

Why Exploit Detection Matters

In many cases, a code fix for a security vulnerability is indistinguishable from a bug fix or logic change. In fact, around half of Linux kernel security vulnerabilities are identified retroactively and assigned to patches which are already part of the kernel. Once the code bug or logic error is corrected, the program now works “correctly” and will not trigger an alarm if a malicious user tries to test out a known exploit. As an example, the Conquering the memory through io_uring vulnerability allows a local user to escalate to root privileges by exploiting an optimization in the io_uring buffer registration code path, which gives access to pages beyond the valid limit. When the code path is fixed, a user attempting that exploit will not get unauthorized access, but the system administrator won’t be alerted that the exploit was attempted. With Known Exploit Detection, in addition to enforcing the boundaries of the pages, Ksplice sets a tripwire condition so that attempts to read beyond the valid pages would be detected and logged as a thwarted attack.

Here’s how the warning message for CVE-2023-2598 is generated in systemd’s logging service (journald) when the Known Update Detection update identifies an attempt by the potential malicious binary, a.out, to compromise the system.

May 19 02:55:01 localhost.localdomain /log-known-exploit[14594]: exploit attempt detected; id=CVE-2023-2598 pid=14593 uid=0 comm=a.out lost=0

We are very specific about the vulnerabilties that get Known Exploit Detection: the vulnerabilities have to be significant and likely to be exploited by malicious users. Not every patched vulnerability will receive Known Exploit Detection, it’s reserved for significant and high profile vulnerabilities.

Latest Known Exploit Detection trip wires added

Here’s a selection of our most recent Known Exploit Detection capabilities which are part of Oracle Ksplice:

  • CVE-2023-6246: This vulnerability allows an untrusted user to escalate privileges to ring zero by leveraging heap buffer overflow exploitation by invoking the execve syscall with argv[0] longer than 1024 bytes. Ksplice prevents this vulnerability by blocking SUID binaries with argv[0] whose length is greater than 1024 bytes. On a non-Ksplice patched system, the kernel patch would silently prevent the vulnerability but would not provide any indication to the administrator that an unprivileged user had attempted to use a known exploit; with Ksplice, that intrusion attempt will be prevented and be logged for the administrator.

  • CVE-2023-2598: This vulnerability allows an untrusted user to escalate privileges to ring zero by leveraging a faulty optimization in the io_uring buffer registration code. Ksplice will prevent this vulnerability by adding a check in the io_uring buffer registration code to ensure that multiple pages are indeed consecutive, thereby disallowing access to pages beyond the valid limit. On a non-Ksplice patched system, the kernel patch would silently prevent the vulnerability but would not provide any indication to the administrator that an unprivileged user had attempted to use a known exploit; with Ksplice, that intrusion attempt will be prevented and logged for the administrator.

  • CVE-2021-20226: This vulnerability allows an unprivileged user to obtain write access to privileged files by leveraging the under-refcount of an unprivileged file object in the io_uring path, causing it to be deleted inadvertently and replaced with a priviledged file object. Ksplice will prevent this vulnerability by properly taking refcount on files_struct. On a non-Ksplice patched system, the kernel patch would silently prevent the vulnerability but would not provide any indication to the administrator that an unprivileged user had attempted to use a known exploit; with Ksplice, that intrusion attempt will be prevented and logged for the administrator.

  • CVE-2024-1086: This vulnerability allows an untrusted user to escalate privileges to ring zero by leveraging a use-after-free scenario in the Linux kernel’s netfilter: nf_tables component that was introduced by a problematic commit. Ksplice will prevent this vulnerability by reverting that particular commit. On a non-Ksplice patched system, the kernel patch would silently prevent the vulnerability but would not provide any indication to the administrator that an unprivileged user had attempted to use a known exploit; with Ksplice, that intrusion attempt will be prevented and logged for the administrator.

  • CVE-2023-0386 This vulnerability allows an unprivileged user to gain root access by leveraging OverlayFS’s copy_up mechanism in combination with user, mount namespaces and FUSE. Ksplice will prevent this vulnerability by adding a check for the existence of user mappings between namespaces during OverlayFS’s copy_up process. On a non-Ksplice patched system, the kernel patch would silently prevent the vulnerability but would not provide any indication to the administrator that an unprivileged user had attempted to use a known exploit; with Ksplice, that intrusion attempt will be prevented and logged for the administrator.

Ksplice allows you to patch vulnerabilities and critical bugs on running systems without a reboot. Find out what patches you can apply on your running system by checking out the Ksplice Inspector. Learn more about Oracle Ksplice at ksplice.oracle.com.

If this kind of work sounds interesting to you, consider applying for a job with the Ksplice team! Feel free to drop us a line at ksplice-support_ww@oracle.com.

Related Ksplice blogs