At Vulcan Cyber, we spend a lot of time researching vulnerabilities and making the community aware of them, especially through Vulcan Remedy Cloud, our popular free resource where we share expert-curated vulnerability solutions. This makes us very aware of emerging trends and what direction the threat environment seems to be moving in. Overall, the most important takeaways is that both attackers and governments are getting more serious, as we’ll see from some of the top Linux vulnerability trends of 2022.
In fact, many security experts predict that the next big front in the malware war will be what U.S. Department of Homeland Security Secretary Alejandro Mayorkas has called “killware” attacks on crucial hospital or medical infrastructure that threaten human lives. These attacks are already happening, both against medical facilities and against critical operational technology such as a 2021 attack on a water filtration plant in Oldsmar, Florida , that could have had lethal consequences.
That’s why cyber resilience, according to the same report, is now front of mind for IT and security professionals. While most end users aren’t familiar with Linux, one W3Techs estimate currently puts it at 80% of market share when it comes to web servers, while another commonly cited statistic holds that Linux drives 90% of cloud applications.
What that means is that for many companies, their most mission-critical apps and data live on Linux. For Vulcan, that makes it extra important to keep our finger on the pulse to serve teams maintaining a wide range of OS environments, including Linux.
Let’s look at the top 3 emerging Linux cybersecurity trends of 2022.
- Linux vulnerability trend #1: Linux is growing as a target
- Linux vulnerability trend #2: RCE and LPE as the gold standard
- Linux vulnerability trend #3: Linux as an APT attack vector
- Keeping Linux safe
Linux vulnerability trend #1: Linux is growing as a target
Every year, across the industry, we’re seeing more and more vulnerabilities emerging that specifically target Linux. Given the statistics above and how prevalent Linux is in the server world—and the number of mission-critical cloud applications it’s powering—this makes logical sense.
Simply put, Linux now offers attackers a higher-value payoff, meaning that they can maximize their threat with a minimum of effort, using the same or similar techniques to breach multiple organizations’ infrastructure.
The types of attacks taking place against Linux systems vary, but ransomware and cryptojacking are still in the lead. One new twist is fileless malware, where attackers manage to deploy a malicious payload directly from memory, leaving no trace on the disk—thus evading antivirus platform red flags.
In addition, the growing popularity of GoLang, a C-like compiled language that makes coding malware much easier than in earlier languages like Python, gives attackers and threat groups the capability to create newer and more innovative malware. Plus, GoLang makes it easier to target multiple operating systems based on a single codebase, driving increased efficiency and speed of malware development.
Example: Linux kernel CVE-2021-41073
As the main component of Linux, the Linux kernel, which serves as the primary interface between the computer's hardware and its processes, is a particularly desirable access point. Essentially, it represents the “brains” of any Linux distribution, meaning it is ubiquitous. A vulnerability within the Linux kernel is one that will likely have far-reaching implications.
This vulnerability allows attackers to take advantage of a weakness in a kernel interface known as io_uring, to achieve local privilege execution (LPE). This means that an attacker must have some access to the local machine to exploit this vulnerability. Sometimes, this is accomplished by means of social engineering, tricking the user into running a small program themselves.
Vulnerable systems include any that are still using Linux kernel versions 5.10 through 5.14.6. Therefore, to mitigate this vulnerability, upgrade the Linux kernel to version 5.14.7 or higher.
Example: Baron Samedit Sudo CVE-2021-3156
Sudo is an almost universal and extraordinarily powerful Linux utility that by design allows users to run processes using the security privileges of another user, primarily the superuser, which is the Linux system administrator user. It was created so that users would not have to actually log on as the more privileged user in order to perform commands that require higher security privileges than the user currently has.
This vulnerability borrows part of its name from “Baron Samedi,” the spirit of death in traditional Haitian Vodou belief. Because of the ubiquity of Sudo, almost any Linux system could have this vulnerability. When this vulnerability is present, if a user passes a line of code to Sudo ending in a backslash, it could then give that user the ability to escalate privileges to root, the highest level possible.
This is a remote code execution (RCE) vulnerability, meaning that an attacker can use the code to force the target computer to remotely execute any type of arbitrary code. Ultimately, this potentially lets attackers access, modify, or steal data or allows them to make changes to the server itself and its operations.
Almost every Linux distribution includes Sudo, and the following Sudo versions are affected: 1.7.7 through 1.7.10p9, 1.8.2 through 1.8.31p2, and 1.9.0 through 1.9.5p1. Mitigation involves upgrading the Sudo version to 1.8.32, 1.9.5p2, or later versions.
Linux vulnerability trend #2: RCE and LPE as the gold standard
Just like the two vulnerabilities we just discussed, most of the Linux vulnerabilities we’ve been seeing recently are similar in their exploitation or impact: They are all RCE or LPE vulnerabilities.
As mentioned, an RCE vulnerability is considered the gold standard for attackers, because it allows them to become all-powerful, ultimately executing any code they desire (though they may have to jump through a number of hoops to get to that point) from a remote machine either on the same network or over the internet.
RCE vulnerabilities are way up in the last few years. The year 2021 saw 3,849 reported code execution vulnerabilities, an increase of over 12% over the previous year, securing its lead as the largest vulnerability category. The increase was likely fueled by the global COVID-19 pandemic, taking advantage of companies trying to pivot to remote work and suffering from IT team member shortages.
Once attackers have gained access, they can essentially do what they like, up to and including holding sensitive data for ransom or sale, disrupting operations, or using the target’s systems to drive cryptomining operations.
When RCE isn’t possible, the next best thing is considered local privilege escalation (LPE). As mentioned, this requires access to the local machine, but given vectors such as social engineering—tricking users into executing malicious code themselves—that’s not as much of an obstacle as you might think.
Exploiting an LPE vulnerability also gives an attacker a vector to infect a local machine and then simply lurk silently until a later date. This method—taking advantage of longer dwell times and less-conspicuous malware—is occasionally used by advanced persistent threat (APT) groups, which we’ll touch on further below.
Example: PwnKit Polkit LPE CVE-2021-4034
PolKit (formerly known as PolicyKit) is an open-source set of applications that facilitates communication on Linux systems between unprivileged and privileged sessions, and includes the pkexec component designed to allow unprivileged users to run processes as other users, including as privileged users—under specific circumstances. PolKit is in widespread use across most Linux distributions.
When it is invoked, pkexec must decide if a given user is authorized to perform the action they are attempting to perform. Sometimes this is done using a popup, and sometimes the process takes place invisibly in the background. This vulnerability causes an error that could short-circuit that process, giving root (administrator) access to ordinary users. (The name PwnKit is a play on “PolKit” and the gaming term “pwn,” meaning to “own,” or soundly defeat an opponent. “Pwn” is pronounced “pown.”)
If you are using a common Linux distribution—including CentOS, Ubuntu, Debian, Redhat, Fedora, Gentoo, Mageia and other Linux distributions that come with PolKit preinstalled—your system is vulnerable and should be updated to the latest version.
If OS patching is impossible, temporary mitigation may be possible by disabling the relevant component of pkexec with the system command chmod 0755 /usr/bin/pkexec. However, it is best to follow advice specific to your distribution and upgrade as soon as possible to remediate the vulnerability itself.
Example: Linux kernel LPE CVE-2022-25636
This vulnerability affects netfilter, an open-source subsystem within the kernel that controls a wide range of networking functions and is present in all Linux firewall utilities (e.g., Iptables, nftables, and ufw). Exploiting this vulnerability could allow an attacker to gain root privileges, escape containers, or even crash the system.
This vulnerability affects all versions of the Linux kernel from Linux kernel 5.4 through 5.6.10, although some ethical hackers have reported inconsistent results.
Remediation involves immediately applying the relevant package from your distribution vendor. If patching is impossible, temporary mitigation may be possible through configuration changes to disable user namespaces or—for containers—through a seccomp policy file. See the detailed instructions for these mitigations. However, it is recommended that you upgrade as soon as this becomes possible.
Linux vulnerability trend #3: Linux as an APT attack vector
One final trend that’s worth mentioning is that a number of the CVEs explored here are being used not only by individual attackers but by the larger, well-funded cybercrime organizations known as advanced persistent threat (APT) groups.
Typically, APTs are state-sponsored groups of highly educated hackers who typically act with a great deal of focus and determination against a specific target. Back in 2016, Deloitte identified over 150 active APT groups. Today, there are many more.
APT groups share a few commonalities:
- Well-funded, sophisticated technology developed by career professionals
- More of a “business” model, not a fast buck
- Willing to wait, investigate targets, plan months or even years ahead
The characteristic patience of APT groups, waiting months or even years before striking, means that they often initiate attacks with longer “dwell times.” This means the malware may already be in your systems and you wouldn’t know.
These organizations also have or are developing the capabilities to launch larger attacks, causing damage to real-world infrastructure, OT, IoT, governments, initiating disruption of society on a larger scale, and even potentially taking human life. That’s why security agencies from the United States., U.K., Australia, Canada, and New Zealand recently issued a warning that APT groups are increasingly targeting MSPs—a field where Linux systems tend to dominate.
It’s inevitable that Linux will be a target, no matter where you’re running those systems or who’s responsible for security. APT attacks may be fewer and farther between, but their impact is far more devastating when they strike. And this, in turn, points to the need to ensure the tightest possible security for your Linux systems.
Keeping Linux safe
In this post, we’ve covered a range of recent Linux CVEs. What all of these vulnerabilities underscore is the fact that threats against Linux are on the rise; attacks are becoming increasingly sophisticated and powerful, and professional attackers are spending more time and money than ever before on the business of creating malware.
That’s the bad news. But the good news is that there are still steps you can take to stay safe. Together, these form the core of a robust, resilient vulnerability and risk management policy:
- Implement consistent security policies, using tools like SWG, ZTNA, and MFA.
- Perform a security audit and seal identified gaps—for example, close all unnecessary ports.
- Provide adequate training to your team to avoid cloud configuration problems, which are actually one of the leading sources of Linux cybersecurity issues.
- Adopt security solutions that improve your overall cyber maturity, managing risk and increasing resilience with processes that improve ease of recovery.
- Patch consistently using a vulnerability management platform that incorporates advanced threat intelligence and asset tracking so you know exactly what to prioritize.