How toLinuxOperating SystemsTricks

How to Fix Linux Vulnerabilities

The Linux kernel is frequently cited as the foundation of some of the most well-liked open-source projects. The kernel is crucial to the system’s stability, performance, and security because it is the OS’s main module.

Because of this, engineers must have a thorough awareness of the most frequent software bugs and Linux vulnerabilities. This not only lowers the possibility of exploits but also raises the general caliber of the program you create.

The majority of Linux Kernel problems, including SQL Injection, Uncontrolled Format String, Buffer Overflow, Integer Overflow, and OS Command Injection, are linked to these flaws.

Three main criteria influence a vulnerability’s impact or severity, regardless of the weakness that led to it. Which are:

  • Existence– The existence of a software vulnerability
  • Access- The potential for an attacker to exploit a vulnerability
  • Exploit- The potential for attackers to use particular methods or tools to exploit a vulnerability.

Hackers can infiltrate a system by taking advantage of known flaws and acquiring root access, crashing the system, or gaining memory access. We’ll go through three of the most prevalent Linux Kernel vulnerabilities in this article.

We will also explore how to identify and address these issues.

Linux Vulnerabilities

  1. CVE-2019-11477
  2. TCP SACK PANIC Vulnerabilities
  3. CVE-2017-18017
  4. CVE-2018-5390
  5. SegmentSmack
  6. CVE-2022-0435
  7. CVE-2022-0492
  8. CVE-2022-28893
  9. CVE-2022-0998
  10. CVE-2022-0995

How to Fix Linux Vulnerabilities

CVE-2019-11477

  • CVSS Score: 7.8
  • Affects Linux Kernels: 2.6.29 versions and above
  • Vulnerability Type: Denial of Service

CVE-2019-11477, also known as TCP SACK PANIC, is brought on by an integer overflow as the Linux networking subsystem handles TCP selective acknowledgment (SACK).

The socket buffer data structure of the kernel is broken up during the processing of TCP SACK segments. The kernel may overflow the variable containing the number of segments if it merges numerous socket buffers into one to process the SACK blocks efficiently.

By submitting specially designed SACK requests, an attacker might use this flaw to create a kernel panic. A denial of service could result from the CVE-2019-11477 vulnerability being exploited.

The fact that CVE-2019-11477 is connected to the moderately serious CVE IDs for two more vulnerabilities—CVE-2019-11478 and CVE-2019-11479—is noteworthy.

While CVE-2019-11478 is connected to TCP SACK, the latter is brought on by a bug in how Maximum Segment Size is processed (MSS).

CVE-2019-11478

Attackers can fragment the TCP retransmission queue by sending a carefully constructed series of SACKs requests due to a weakness in the Linux kernel.

An attacker might force an expensive linked-list walk for SACK requests received for the same TCP connection by taking advantage of the fragmented queue.

The CPU would have to use a lot of system resources while it tries to recreate the list.

CVE-2019-11479

This vulnerability results from a bug that lets hackers send packets with low MSS values, which uses up a lot of resources.

An attacker has the kernel divide responses into many TCP segments, each of which only contains 8 bytes of data.

Due to the increased bandwidth needed to transport the same quantity of data, greater CPU and NIC processing power usage results.

Even though the assault may be over once the attacker stops sending traffic, the system’s performance is drastically reduced, which causes a DoS for some users.

Resolving TCP SACK PANIC Vulnerabilities

You must act quickly by deactivating the vulnerable component if your system is susceptible to certain TCP SACK PANIC flaws. As an alternative, you can employ iptables to block connections whose MSS size can effectively exploit the flaw.

The second option is better because it addresses all three issues.

CVE-2017-18017

  • CVSS Score: 10.0
  • Affected Versions: Before 4.11 and 4.9x before 4.9.36
  • Vulnerability type: Denial of Service, Memory corruption

Denial-of-service problems can result from flaws in the Kernel’s handling of exceptions.

The function tcpmss mangle packet located in net/Netfilter/xt TCPMSS.c is responsible for the CVE-2017-18017 vulnerability, which enables remote hackers to launch a DoS attack.

By taking advantage of the fact that xt TCPMSS is present in iptables actions, attackers can also carry out undefined actions.

Because it specifies the MSS that is permitted for accepting TCP headers, the function net/Netfilter/xt TCPMSS.c is crucial in filtering network communication.

Given that attackers can remotely exploit the defect, the effects of this type of flaw could be serious.

CVE-2018-5390

  • CVSS Score: 7.5
  • Affected Versions: Linux Kernel 6 and Above
  • Vulnerability Type: Denial of Service

SegmentSmack, also known as CVE-2018-5390, is a moderately serious vulnerability in the Linux kernel.

It happens as a result of a bug in how the Kernel manages specifically constructed TCP packets.

By delivering altered packets during active TCP sessions, remote attackers can use this vulnerability to cause pricey calls to the TCP prune ofo queue() and TCP collapse ofo queue() functions.

Due to CPU overuse and a lack of bandwidth, the system cannot handle incoming network traffic, which ultimately results in a denial of service. Attacks employing faked IP addresses are not possible because continual two-way sessions to an open port are necessary for an attacker to maintain the DoS condition.

Resolving the SegmentSmack

The default values of the net.ipv4.ipfrag low thresh and net.ipv4.ipfrag high thresh (as well as their IPv6 counterparts) are 4MB and 3MB, respectively. You can mitigate the vulnerability in addition to installing an updated or fixed Linux Kernel by changing these values to 192kB and 256kB, respectively. As a result, the attack’s CPU saturation will significantly decrease.

CVE-2022-0435

  • CVSS Score: 9.0
  • Severity: Critical

A stack overflow vulnerability was discovered in the TIPC protocol feature of the Linux kernel when a user sent a packet containing malicious content with more domain member nodes than the 64 permitted. If a remote user has access to the TIPC network, they can exploit this weakness to crash the system or even escalate their privileges.

This vulnerability poses the greatest risk to system availability, confidentiality, and integrity.

This vulnerability poses a serious risk because it can be exploited over any network with little difficulty and with few access privileges.

[dt_divider style=”thin” /]

CVE-2022-0492

  • CVSS Score: 7.8
  • Severity: Important

The kernel/cgroup/cgroup-v1.c function cgroup release agent written in the Linux kernel was determined to be vulnerable. Under some conditions, this weakness enables the use of the cgroups v1 release agent functionality to elevate privileges and unexpectedly overcome namespace isolation.

This vulnerability poses the greatest risk to system availability, confidentiality, and integrity.

This vulnerability carries a high risk of exposure due to its low attack complexity and minimal privilege requirements. Because it does need local network access to exploit, the overall danger is reduced.

[dt_divider style=”thin” /]

CVE-2022-28893

  • CVSS Score: 7.2
  • Severity: Important

Through Linux kernel version 5.17.2, the SUNRPC subsystem can call xs xprt free without first checking that sockets are in the desired condition.

This vulnerability poses the greatest danger to system availability, confidentiality, and integrity.

This vulnerability carries a high risk due to the ease with which it may be exploited, which just requires local network access and low privileges, and attack complexity.

[dt_divider style=”thin” /]

CVE-2022-0998

  • CVSS Score: 7.2
  • Severity: Important

The way a user invokes the vhost vdpa config validates function in the Linux kernel’s virtio device driver code contains an integer overflow fault. A local user might potentially elevate their privileges on the system or cause the system to crash due to this bug.

Confidentiality, integrity, and system availability are the three areas that are most at risk from this vulnerability.

This vulnerability carries a high risk due to the ease with which it may be exploited, which just requires local network access and low privileges, and attack complexity.

[dt_divider style=”thin” /]

CVE-2022-0995

  • CVSS Score: 6.6
  • Severity: Important

The watch queue event notification subsystem of the Linux kernel was found to have an out-of-bounds (OOB) memory write bug. A local user may be able to obtain privileged access or bring about a denial of service on the system due to this flaw’s ability to overwrite portions of the kernel state.

This vulnerability poses the greatest risk to system availability and confidentiality.

This vulnerability carries a high risk due to the ease with which it may be exploited, which just requires local network access and low privileges, and attack complexity.

Protect Yourself against Linux Kernel Vulnerabilities

Continuously checking your repositories is the most efficient strategy to guard against Linux Kernel vulnerabilities and related attacks.

This makes it simpler to find weak open-source project components and to deliver timely fixes.

WhiteSource Bolt, a GitHub app that enables unlimited private and public repository scanning to identify vulnerabilities in real time, is one of the best tools for the job. When Bolt finds flaws in your code, it automatically creates a new problem in the issue tracker.

Additionally, it offers a thorough report including the CVSS rating of the vulnerability and suggested fixes.

In addition to utilizing Bolt, it’s critical to make sure your software product versions are up to date at all times. As updates frequently include patches and fixes, doing this will help you stay secure.

How vulnerabilities are fixed?

An operating system update, an application patch, or a configuration change can all be used to address vulnerabilities. Vulnerabilities discovered may affect copies of apps rather than the originals. A vulnerability can only be fixed by a patch if the application is installed.

What is vulnerability management in Linux?

With Microsoft Defender for Endpoint’s threat and vulnerability management features, businesses can efficiently find, analyze, and fix endpoint flaws to lower organizational risk. For a detailed list of supported platforms and operating systems, consult our documentation.

Is Linux OS safe?

“Linux is the safest OS since its source code is available. It can be examined by anyone to check for bugs or back doors. According to Wilkinson, “the information security community is aware of fewer exploitable security weaknesses in Linux and Unix-based operating systems.

Conclusion

These faults are to blame for most Linux Kernel issues. By taking advantage of vulnerabilities that are well known, hackers can gain root access to a system. In this article, we’ll go through three of the most common Linux Kernel vulnerabilities and explain how to spot and fix them. The CVE-2019-11478 vulnerability is linked to a problem that allows hackers to send packets with low MSS values, wasting a lot of resources. The Linux kernel separates responses into several TCP segments, each of which only holds 8 bytes of data, as a result of a defect.

CVE-2018-5390, commonly known as the SegmentSmack vulnerability, is a flaw in the Linux kernel’s handling of specially designed TCP packets that can result in denial of service attacks.

Always be updated with computer tips, mobile tips, how to fix, tech reviews, and tech news on Rowdytech, or subscribe to the YouTube channel.

Related Articles

5 1 vote
Article Rating
Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Back to top button
1
0
Would love your thoughts, please comment.x
()
x