Ksplice Known Exploit Detection for VM_IO Use After Free, BPF bounds checking, and more…

This post is part of a regular series on Oracle Ksplice’s Known Exploit Detection. For selected security vulnerabilities, not only will Ksplice fix the code error, Ksplice will also lay down tripwires to detect attempts to exploit those fixed vulnerabilities. Known Exploit Detection allows system administrators to report and alarm on future attempts to exploit that vulnerability even after the system has been patched.

Why Exploit Detection Matters

In many cases, a code fix for a security vulnerability is indistinguishable from a bug fix or logic change. In fact, around half of Linux kernel security vulnerabilities are identified retroactively and assigned to patches which are already part of the kernel. Once the code bug or logic error is corrected, the program now works “correctly” and will not trigger an alarm if a malicious user tries to test out a known exploit. As an example, the OpenSSL Heartbleed vulnerability allows a remote user to read data past the end of a buffer; when Heartbleed is fixed, a user trying that exploit will get no data, but the system administrator won’t be alerted that the exploit was being attempted. With Known Exploit Detection, in addition to enforcing the boundaries of the array, Ksplice sets a tripwire condition so that attempts to read beyond the end of the array would be detected and logged as a potentially thwarted attack.

Here’s a selection of our most recent Known Exploit Detection capabilities which are part of Oracle Ksplice:

• CVE-2021-22543: Allows an untrusted guest VM (or user with the ability to create VMs) to escalate privileges to host ring zero by leveraging a use-after-free on VM_IO or VM_PFNMAP pages. Ksplice will prevent this vulnerability by restoring correct refcounting when those pages are manipulated and log an alert to the administrator. On a typical (non-Ksplice) patched system without Ksplice, the kernel patch would silently prevent the use-after-free but would not provide any indication to the administrator that an untrusted guest VM had tried to own the host kernel.

• CVE-2020-8835: Allows an untrusted user with the ability to load BPF programs to elevate its privileges to ring zero by exploiting a logic error in the BPF verifier. Ksplice will fix this vulnerabity by modifying the BPF verifier to correctly calculate offsets from 32 bit registers, ensuring proper bounds-checking is in place, and log an alert to the administrator when not the case. On a typical (non-Ksplice) patched system without Ksplice, the kernel patch would also prevent specially crafted BPF programs from abusing the BPF verifier but would not provide any indication to the administrator that a user had tried to exploit this vulnerability.

• CVE-2021-4034: Also known as ‘pwnkit’, this is a userspace vulnerability that we were able to fix from ksplice in the kernel, and to enable Exploit Detection. Please check out our detailed blog which explains how we patched and instrumented the PWNKIT vulnerability.

• CVE-2017-11176: Allows unpriviliged users to exploit a race condition leading to a use-after-free in the mqueue sub-system. Ksplice will fix the race condition that makes this use-after-free possible and log an alert to the administrator. On a typical (non-Ksplice) patched system, the use-after-free isn’t possible but an active exploitation would not provide any indication to the administrator that a user had tried to exploit this known vulnerability.

Ksplice allows you to patch vulnerabilities and critical bugs on running systems without a reboot. Find out what patches you can apply on your running system by checking out the Ksplice Inspector. Learn more about Oracle Ksplice at ksplice.oracle.com.

Related Ksplice Blogs

• Using Ksplice To Detect Exploit Attempts
• Ksplice Known Exploit Detection for DirtyPipe, Cgroup, fsconfig and more...