Linux kernel Bug Let Attackers Insert Malicious Code Into The Kernel Address Space

The cybersecurity researchers have detected that the Linux kernel bug is allowing the threat actors to implement some malicious code into the kernel address space.

Linux uses ASLR for user-space programs for a long time, ASLR Address-space layout randomization is generally used for its very famous method to make exploits more difficult by putting various objects at random.

However, the experts have outlined some key details regarding this malicious code, and that’s why they have started looking for the patches so that they can circumvent such an unwanted situation.

Attacks

This is not the first time when Kernel gets attacked, as it has been attacked by various threat actors and with different methods. To attack Kernel, the initial thing for an attacker is to find if it has any kind of bug in the system or not.

If the attacker finds any bug in the kernel code, then they can use it to insert different malicious code into the kernel address space by using several methods and redirect the kernel’s execution to that code.

Randomizing the location of Kernel

After investigating the procedure, the security analysts came to know that ASLR (KASLR) is currently randomized where the kernel code is placed at boot time. 

However, the researchers affirmed that using KASLR is quite beneficial for the threat actors, as it has a one-sided effect that moves the interrupt descriptor table (IDT) far away from the other kernel to a location that is present in the read-only memory. 

Basically, ASLR  is a “statistical defense,” and here the brute force techniques can be used to overcome such situations. A situation where it has been described that in the case of 1000 location, brute force will find it once and fail 999 times.

Accomplishment

Among all the malicious code, KASLR is one of the most minor problematic codes that the experts came across. However, cybersecurity researchers have claimed that there are a few steps that will help the user to bypass such a situation.

Some steps are to be taken to protect the data from getting leaked; later it can be used to identify where the kernel was loaded. 

Moreover, the kptr_restrict sysctl should be allowed so that the kernel pointers should not get leaked to a userspace. The patches that have been mentioned by the analysts are currently only for 64-bit x86.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Leave a Reply