Key Points
Every year we’re seeing more vulnerabilities that affect Linux. Many consumers aren’t familiar with Linux although they use it every day without knowing it - W3Techs estimates that Linux powers up to 90% of the internet. Given these numbers, how popular Linux is in the server world, and the number of mission-critical cloud applications it’s powering – it’s not surprising it’s a target for cyber criminals.
Simply put, a vulnerability in Linux offers attackers a high-value payoff, meaning they can maximize their reward with minimum effort, using the same exploit to breach multiple organizations’ infrastructure. In this article we’ll look at some recent vulnerabilities, and how you can protect your internal systems with a Linux vulnerability scanner.
Top types of Linux attacks
As with all platforms, Linux attacks vary, but ransomware and cryptojacking top the list. They’re often delivered through fileless malware, software that uses legitimate programs to infect a system or device. It doesn’t rely on files and leaves minimal footprint, making it difficult to detect by endpoint protection such as antivirus, and so prevention is better than cure. High-profile fileless attacks include the hack of the Democratic National Committee and the Equifax breach.
Top 3 Linux vulnerabilities
Linux kernel CVE-2021-41073
As the main component of Linux, the Linux kernel – the interface between the computer’s hardware and its processes – is a particularly attractive access point. Essentially, it represents the “brains” of any Linux distribution, meaning it is ubiquitous and any vulnerability can have far-reaching implications.
This vulnerability allows attackers to take advantage of a weakness in a kernel interface known as io_uring, to achieve local privilege execution (LPE). This means that an attacker must have some access to the local machine to exploit this vulnerability. Sometimes, this is accomplished by means of social engineering, tricking the user into running a small program themselves. To mitigate risk, upgrade the Linux kernel to version 5.14.7 or higher.
Baron Samedit Sudo CVE-2021-3156
Sudo is an almost universal and powerful Linux utility that allows users to run processes using the security privileges of another user, primarily the system administrator. It was created so that users would not have to log on as the more privileged user to perform commands that require higher security privileges than the user currently has.
This vulnerability takes its name from “Baron Samedi,” the Haitiain Vodou spirit of death. Because of the ubiquity of sudo, almost any Linux system could have this vulnerability. It’s a local privilege escalation attack, so the attacker must have access to the system already.
Successful exploitation allows any unprivileged user to gain root privileges on the vulnerable host. This means it can read and write any files on the system, perform operations as any user, change system configuration, install and remove software, and upgrade the operating system and/or firmware. Essentially, it can do pretty much anything on the system.
Dirty Pipe CVE-2022-0847
The name ‘Dirty Pipe’ is both a reference to Dirty Cow – an earlier high-severity and easy-to-exploit Linux flaw – and a clue about the new vulnerability’s origins. “Pipe” refers to a pipeline, a Linux mechanism for one OS process to send data to another process. In essence, a pipeline is two or more processes chained together so that the output text of one process (stdout) is passed directly as input (stdin) to the next one.
Dirty Pipe makes it easy for untrusted users to execute code that can carry out a host of malicious actions, including installing backdoors, creating unauthorized user accounts, and modifying scripts or binaries used by privileged services or apps. The vulnerability first appeared in kernel version 5.8, which was released in August 2020, but wasn’t discovered until 2022. The vulnerability is fixed with the release of versions 5.16.11, 5.15.25, and 5.10.102.
Linux vulnerability scanner
Attacks on Linux are on the rise and becoming increasingly sophisticated and powerful, and hackers are spending more time and money than ever on the business of creating malware. Research shows that new Linux malware threats hit record numbers in 2022, increasing by 50% to 1.9 million.
That’s the bad news. The good news is that there are still steps you can take to stay safe. Together, these are the core of a robust vulnerability and risk management policy:
- Use consistent security policies enforced by tools like anti-virus software, Secure Web Gateway, Zero Trust Network Access, and Multi-Factor Authentication (MFA)
- Audit your attack surface and seal any gaps such as closing unnecessary open ports
- Minimize misconfigurations, one of the leading sources of cybersecurity issues
- Patch regularly using a vulnerability scanner for Linux, like Intruder's vulnerability scanning tool that incorporates emerging threat intelligence and asset tracking, so you know exactly what to prioritize.
Try our interactive demo to see how easy vulnerability scanning is with Intruder.
How to install Intruder for Linux
Intruder’s internal vulnerability scanner for Linux finds weaknesses in your internal network, even if they’re behind a firewall and only accessible to employees or trusted partners.
As an agent-based vulnerability scanner for Linux, it needs to be installed on every device, but this is easy to do manually or using the installation wizard.
Keeping up with emerging vulnerabilities, scanning your internal network and protecting all your internal devices is easy with Intruder. It’s easy to install and use, providing continuous monitoring so you can find and fix issues in your Linux devices quickly. Start your free trial today or get in touch for more information.
