Ksplice Known Exploit Detection for DirtyPipe, Cgroup, fsconfig and more...

This post is part of a regular series on Oracle Ksplice’s Known Exploit Detection. For selected security vulnerabilities, not only will Ksplice fix the code error, Ksplice will also lay down tripwires to detect attempts to exploit those fixed vulnerabilities. Known Exploit Detection allows system administrators to report and alarm on future attempts to exploit that vulnerability even after the system has been patched.

Why Exploit Detection Matters

In many cases, a code fix for a security vulnerability is indistinguishable from a bug fix or logic change. In fact, around half of Linux kernel security vulnerabilities are identified retroactively and assigned to patches which are already part of the kernel. Once the code bug or logic error is corrected, the program now works “correctly” and will not trigger an alarm if a malicious user tries to test out a known exploit. As an example, the PwnKit vulnerability allows a local user to exploit the pkexec suid binary; when PwnKit is fixed, a user trying that exploit will get no data, but the system administrator won’t be alerted that the exploit was being attempted. With Known Exploit Detection, in addition to enforcing the boundaries of the array, Ksplice sets a tripwire condition so that attempts to read beyond the end of the array would be detected and logged as a potentially thwarted attack.

We are very specific about the vulnerabilties that get Known Exploit Detection: the vulnerabilities have to be significant and likely to be exploited by malicious users. Not every patched vulnerability will receive Known Exploit Detection, it’s reserved for significant and high profile vulnerabilities.

Latest Known Exploit Detection trip wires added

Here’s a selection of our most recent Known Exploit Detection capabilities which are part of Oracle Ksplice:

• CVE-2022-0847 (DirtyPipe): this vulnerability allows an untrusted user to escalate privileges to ring zero by leveraging an omission to clear some flags in the struct pipe_buffer. Ksplice prevents this vulnerability by correctly clearing the pipe flags. On a non-ksplice patched system, the kernel patch would silently prevent the vulnerability but would not provide any indication to the administrator that an unprivileged user had attempted to use a known exploit; with ksplice that intrusion attempt will be prevented and be logged for the administrator.
   
• CVE-2021-4154: this vulnerability allows an untrusted user to escalate privileges to ring zero by leveraging a use-after-free in the cgroup sub-system on a struct file. Ksplice will prevent this vulnerability by adding a check in the cgroup v1 filesystem configuration parser that the source parameter is of type string. On a non-ksplice patched system, the kernel patch would silently prevent the vulnerability but would not provide any indication to the administrator that an unprivileged user had attempted to use a known exploit; with ksplice that intrusion attempt will be prevented and be logged for the administrator.
   
• CVE-2022-27666: Allows an unprivileged user to escalate privileges to ring zero by leveraging a potential heap buffer overflow in the IPSec sub-system when sending a bigger than expected buffer to be encrypted. Ksplice will prevent this vulnerability by properly allocating the destination buffer so that overflows cannot happen. On a non-ksplice patched system, the kernel patch would silently prevent the vulnerability but would not provide any indication to the administrator that an unprivileged user had attempted to use a known exploit; with ksplice that intrusion attempt will be prevented and be logged for the administrator.
   
• CVE-2022-0185: Allows an unprivileged user to escalate its privileges to ring zero by leveraging an integer underflow in the fsconfig() syscall which gives a heap buffer overflow. Ksplice will prevent the underflow by doing proper size checking. On a non-ksplice patched system, the kernel patch would silently prevent the vulnerability but would not provide any indication to the administrator that an unprivileged user had attempted to use a known exploit; with ksplice that intrusion attempt will be prevented and be logged for the administrator.
   
• CVE-2022-2588: Allows an unprivileged user (through unprivileged namespaces) to escalate its privileges to ring zero by leveraging a use-after-free in the network IPv4 route scheduler. Ksplice will prevent the use-after-free by properly releasing the filter memory. On a non-ksplice patched system, the kernel patch would silently prevent the vulnerability but would not provide any indication to the administrator that an unprivileged user had attempted to use a known exploit; with ksplice that intrusion attempt will be prevented and be logged for the administrator.

Ksplice allows you to patch vulnerabilities and critical bugs on running systems without a reboot. Find out what patches you can apply on your running system by checking out the Ksplice Inspector. Learn more about Oracle Ksplice at ksplice.oracle.com.

If this kind of work sounds interesting to you, consider applying for a job with the Ksplice team! Feel free to drop us a line at ksplice-support_ww@oracle.com.

Related Ksplice Blogs

• Using Ksplice To Detect Exploit Attempts
• Ksplice Known Exploit Detection for VM_IO Use After Free, BPF bounds checking, and more…