Linux Kernel Vulnerability - ThreatWire
Added 2021-05-04 17:37:10 +0000 UTCBy Shannon Morse, ThreatWire
Cisco Talos discovered a bug within the Linux kernel that could potentially expose information from the kernel stack memory of vulnerable devices. This is labeled as CVE-2020-28588, and is an information disclosure security vulnerability which happens due to an improper conversion of numeric values whenever reading files. It exists within the /proc/pid/syscall functionality of 32 bit ARM devices running Linux.
“Proc'' dynamically accesses process data held within the kernel and presents it in a file system-like structure with subdirectories. “Syscall” contains logs of system calls that happen in the kernel.
If an attacker wanted to exploit this vulnerability, they’d have to output 24 bytes of uninitialized stack memory to bypass the KASLR, which stands for the kernel address space layout randomization. Interestingly, this actually exists as an anti-exploit technique and if exploited it’s impossible to detect remotely since it’s a legitimate file being read, according to the Cisco Talos report.
Why does this matter? If an attacker leveraged this issue, the information leak could allow them to exploit additional unpatched Linux vulnerabilities.
Linux kernel versions 5.10-rc4, 5.4.66 and 5.9.8 are vulnerable, but patches are available as of a few months ago.
In related news, Qihoo 360 Netlab found a Linux malware backdoor that’s been totally undetected since 2018, and targets Linux 64 bit systems. RotaJakiro as it has been named, was detected on March 25th when a DDoS botnet C2 command tracking system flagged something suspicious. That system is called BotMon. Nothing was in VirusTotal for this file but a few samples had been uploaded since 2018.
The malware has several functions including exfiltrating or stealing data, reporting device info, the ability to download and delete files and plugins, and more, but 360 Netlab is unsure of the core purpose other than compromising a system.
The researchers found similarities between RotaJakiro and the Torii botnet which was originally found back in 2018, like reuse of commands and the construction and functionality processes, but they wouldn’t draw any conclusions.
Linux Vulnerabilities:
https://www.zdnet.com/article/linux-kernel-vulnerability-exposes-stack-memory/
https://blog.talosintelligence.com/2021/04/vuln-spotlight-linux-kernel.html
https://threatpost.com/linux-kernel-bug-wider-cyberattacks/165640/
RotaJakiro:
https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/
https://www.zdnet.com/article/rotajakiro-a-linux-backdoor-that-has-flown-under-the-radar-for-years/
Support ThreatWire! https://www.patreon.com/threatwir
