Exploring the Implications of Outdated Linux Vulnerabilities on Cybersecurity: A Look at Recent Attacks Through the Lens of CISA

The US Cybersecurity and Infrastructure Security Agency (CISA) recently added several Linux and Linux-related vulnerabilities to its known exploited vulnerabilities catalog. It reported that it had evidence that seven old Linux vulnerabilities were being exploited by attackers. The catalog includes the recent Ruckus AP remote code execution (CVE-2023-25717), Red Hat Polkit privilege escalation (CVE-2021-3560), Linux kernel privilege escalations (CVE-2014-0196 and CVE-2010-3904), Jenkins UI information disclosure (CVE-2015-5317), Apache Tomcat remote code execution (CVE-2016-8735), and an Oracle Java SE and JRockit issue (CVE-2016-3427).
 
Although the Ruckus product vulnerability was exploited by a DDoS botnet named AndoryuBot, there do not appear to be any public reports describing exploitation of the other vulnerabilities. Technical details and proof-of-concept (PoC) exploits are available, which is not surprising considering that some of them have been known for a decade. One aspect all the vulnerabilities appear to have in common is their connection to Linux, which indicates that they might have been leveraged in attacks on Linux systems. NIST’s advisories for each security hole include references to advisories posted by various Linux distributions to describe the impact of these flaws and the availability of patches. At least some of these issues may have been exploited in attacks targeting Android devices as Linux kernel vulnerabilities being exploited in Android attacks is not unheard of.

CISA also pointed out a connection between two of the vulnerabilities. The Apache Tomcat flaw exists because a component was “not updated to take account of Oracle’s fix for CVE-2016-3427”. It is unclear whether the weaknesses have been exploited by the same threat actor or whether multiple of these issues have been chained or used as part of the same attack. The agency only adds a vulnerability to its catalog if it has reliable evidence of exploitation in the wild. It is possible that it has privately obtained the information about active exploitation for these flaws.

This situation is not the first time CISA has been the first to sound the alarm regarding the exploitation of a Linux vulnerability. Nearly one year ago, the agency warned of the vulnerability known as PwnKit being exploited. The recent report highlights that many organizations still do not have adequate protections in place despite CISA’s warnings.

Recommendations:

Updating systems promptly remains the most effective measure organizations should take to protect their infrastructure. For example, it is crucial that systems administrators keep their computers and devices updated and properly patched frequently.

In addition, the use of threat intelligence can help organizations to stay informed about new vulnerabilities that may affect them. Furthermore, continuous employee training or awareness programs are vital to guarantee that their workforce upholds the best cybersecurity practices. It is also recommended that data backups are regularly made, and that testing protocols are in place to ensure backups are viable and can be retrieved if needed. Overall, organizations should be committed to actively monitoring and improving their cybersecurity defenses, especially since Linux-related systems account for a significant portion of corporate computing infrastructures.