Ksplice Known Exploit Detection for DirtyCred Remastered, io_uring, A_PACKET, Looney Tunables and more...

February 13, 2024 | 5 minute read
Text Size 100%:

It’s been a while without an update on the Known Exploit Detection feature that Ksplice offers, but it doesn’t mean we haven’t busy adding some more!

This post is part of a regular series on Oracle Ksplice’s Known Exploit Detection. For selected security vulnerabilities, not only will Ksplice fix the code error, Ksplice will also lay down tripwires to detect attempts to exploit those fixed vulnerabilities. Known Exploit Detection allows system administrators to report and alarm on future attempts to exploit that vulnerability even after the system has been patched.

Why Exploit Detection Matters

In many cases, a code fix for a security vulnerability is indistinguishable from a bug fix or logic change. In fact, around half of Linux kernel security vulnerabilities are identified retroactively and assigned to patches which are already part of the kernel. Once the code bug or logic error is corrected, the program now works “correctly” and will not trigger an alarm if a malicious user tries to test out a known exploit. As an example, the Glibc Looney Tunables vulnerability which allows a local user to exploit the Linux dynamic loader (from suid binaries); when Looney Tunables is fixed, a user trying that exploit will not be able to get root, but the system administrator won’t be alerted that the exploit was being attempted. With Known Exploit Detection, in addition to enforcing the boundaries of the array, Ksplice sets a tripwire condition (in kernel for that Glibc vulnerability!) so that attempts to hijack the environment variables with non-sensical data would be detected and logged as a thwarted attack.

We are very specific about the vulnerabilties that get Known Exploit Detection: the vulnerabilities have to be significant and likely to be exploited by malicious users. Not every patched vulnerability will receive Known Exploit Detection, it’s reserved for significant and high profile vulnerabilities.

Latest Known Exploit Detection trip wires added

Here’s a selection of our most recent Known Exploit Detection capabilities which are part of Oracle Ksplice:

  • CVE-2016-8655 (AF_PACKET use-after-free): the vulnerability allows an untrusted user with the ability to create AF_PACKET sockets to esclate its privileges to ring zero by leveraging a use-after-free when changing the socket TPACKET version from v3 to v1 through a race condition. Ksplice prevents this vulnerability by correctly locking the packet socket when changing versions through setsockopt, and closing the race condition allowing the use-after-free. On a non-Ksplice patched system, the kernel patch would silently prevent the vulnerability but would not provide any indication to the administrator that an unprivileged user had attempted to use a known exploit; with Ksplice, that intrusion attempt will be prevented and be logged for the administrator.

  • CVE-2021-22600 (AF_PACKET double-free): the vulnerability allows here again an unprivileged user with the ability to create AF_PACKET sockets to escalate its privileges to ring zero by leveraging a double-free when changing the socket version from v3 to v2 through type confusion. Ksplice prevents this vulnerability by removing the type confusion when changing versions through setsockopt, and avoiding the double-free. On a non-Ksplice patched system, the kernel patch would silently prevent the vulnerability but would not provide any indication to the administrator that an unprivileged user had attempted to use a known exploit; with Ksplice, that intrusion attempt will be prevented and be logged for the administrator.

  • CVE-2021-26708 (Four Bytes of Power): the vulnerability allows an unprivileged user to escalate its privileges to ring zero by leveraging a use-after-free when changing the transport type of a VSOCK socket concurently to changing its socket buffer size through a classic race condition. Ksplice prevents this vulnerability by fixing the locking when changing the socket buffer size, avoiding the race condition and use-after-free altogether. On a non-Ksplice patched system, the kernel patch would silently prevent the vulnerability but would not provide any indication to the administrator that an unprivileged user had attempted to use a known exploit; with Ksplice, that intrusion attempt will be prevented and be logged for the administrator.

  • CVE-2022-2602 (DirtyCred Remastered): the vulnerability allows an unprivileged user to escalate its privileges to ring zero by leveraging a use-after-free in the io_uring kernel sub-system. Ksplice prevents this vulnerability by fixing the Unix socket garbage collector to defer the freeing of socket bufers that are still used by io_uring. On a non-Ksplice patched system, the kernel patch would silently prevent the vulnerability but would not provide any indication to the administrator that an unprivileged user had attempted to use a known exploit; with Ksplice, that intrusion attempt will be prevented and be logged for the administrator.

  • CVE-2022-4378 (Stack buffer overflow in the proc filesystem): the vulnerability allows an unprivileged user to cause a stack buffer overflow in the proc filesystem using specially crafted input, leading to an integer overflow used to copy the input to an on-stack buffer. Ksplice prevents this vulnerability by fixing the proc filesystem logic error when sanitizing the untrusted input. On a non-ksplice patched system, the kernel patch would silently prevent the vulnerability but would not provide any indication to the administrator that an unprivileged user had attempted to use a known exploit; with ksplice that intrusion attempt will be prevented and be logged for the administrator.

  • CVE-2023-4911 (Glibc Looney Tunables): the vulnerability allows an unprivileged user to escalate its privileges to root by leveraging a parsing error in the Linux dynamic loader (ld-linux.so) for the GLIBC_TUNABLES environment variable. Ksplice prevents in kernel this vulnerability by sanitizing the GLIBC_TUNABLE environment variable when a SUID program is invoked (more on this here, so that you don’t even need to have your glibc updated on disk to be protected. On a non-ksplice patched system, and provided the glibc package was correctly updated, the fixed ld-linux.so would silently prevent the vulnerability but would not provide any indication to the administrator that an unprivileged user had attempted to use a known exploit; with ksplice that intrusion attempt will be prevented and be logged for the administrator.

Ksplice allows you to patch vulnerabilities and critical bugs on running systems without a reboot. Find out what patches you can apply on your running system by checking out the Ksplice Inspector. Learn more about Oracle Ksplice at ksplice.oracle.com.

If this kind of work sounds interesting to you, consider applying for a job with the Ksplice team! Feel free to drop us a line at ksplice-support_ww@oracle.com.

Related Ksplice Blogs

Quentin Casasnovas


Previous Post

What's Inside a Linux Kernel Core Dump

Stephen Brennan | 35 min read

Next Post


Building an aarch64 Linux Kernel on OCI Oracle Linux 8

Dongli Zhang | 2 min read