Linux kernel Bug Let Attackers Insert Malicious Code Into The Kernel Address Space

The cybersecurity researchers have detected that the Linux kernel bug is allowing the threat actors to implement some malicious code into the kernel address space.

Linux uses ASLR for user-space programs for a long time, ASLR Address-space layout randomization is generally used for its very famous method to make exploits more difficult by putting various objects at random.

However, the experts have outlined some key details regarding this malicious code, and that’s why they have started looking for the patches so that they can circumvent such an unwanted situation.

Attacks

This is not the first time when Kernel gets attacked, as it has been attacked by various threat actors and with different methods. To attack Kernel, the initial thing for an attacker is to find if it has any kind of bug in the system or not.

If the attacker finds any bug in the kernel code, then they can use it to insert different malicious code into the kernel address space by using several methods and redirect the kernel’s execution to that code.

Randomizing the location of Kernel

After investigating the procedure, the security analysts came to know that ASLR (KASLR) is currently randomized where the kernel code is placed at boot time. 

However, the researchers affirmed that using KASLR is quite beneficial for the threat actors, as it has a one-sided effect that moves the interrupt descriptor table (IDT) far away from the other kernel to a location that is present in the read-only memory. 

Basically, ASLR  is a “statistical defense,” and here the brute force techniques can be used to overcome such situations. A situation where it has been described that in the case of 1000 location, brute force will find it once and fail 999 times.

Accomplishment

Among all the malicious code, KASLR is one of the most minor problematic codes that the experts came across. However, cybersecurity researchers have claimed that there are a few steps that will help the user to bypass such a situation.

Some steps are to be taken to protect the data from getting leaked; later it can be used to identify where the kernel was loaded. 

Moreover, the kptr_restrict sysctl should be allowed so that the kernel pointers should not get leaked to a userspace. The patches that have been mentioned by the analysts are currently only for 64-bit x86.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

VMware ESXi, Firefox, Red Hat Linux & SharePoint Hacked – Pwn2Own Day 2

Security researchers demonstrated their prowess on the second day of Pwn2Own Berlin 2025, discovering critical…

15 hours ago

Critical WordPress Plugin Flaw Puts Over 10,000 Sites of Cyberattack

A serious security flaw affecting the Eventin plugin, a popular event management solution for WordPress,…

1 day ago

Sophisticated NPM Attack Leverages Google Calendar2 for Advanced Communication

A startling discovery in the npm ecosystem has revealed a highly sophisticated malware campaign embedded…

1 day ago

New Ransomware Attack Targets Elon Musk Supporters Using PowerShell to Deploy Payloads

A newly identified ransomware campaign has emerged, seemingly targeting supporters of Elon Musk through a…

1 day ago

Printer Company Distributes Malicious Drivers Infected with XRed Malware

Procolored, a printer manufacturing company, has been found distributing software drivers infected with malicious code,…

1 day ago

Chinese Agent Impersonate as Stanford Student For Intelligence Gathering

Chinese intelligence operative posing as a Stanford University student has been uncovered following an investigation…

1 day ago