Find Unpatched Libraries In Memory With UChecker by KernelCare

To help administrators manage hundreds of servers with open-source libraries, KernelCare released UChecker – a scanner that checks network Linux servers and detects out-of-date libraries both on disk and in memory. KernelCare’s open-source scanner will find false negatives by correctly reporting vulnerable libraries running in memory that could be reported as updated by other scanners.

The UChecker (originated from “userspace checker”) works with all modern Linux Distributions, it is free and open-source, distributed under the GNU General Public License.

You can scan your systems by running a single command:

curl -s -L https://kernelcare.com/uchecker | python

After running this command, administrators receive a list of unpatched libraries with the following information:

• Process ID
• Process Name

This activity diagram shows how UChecker works:

Visit the UChecker Github page to learn more and watch the demonstration of how Uchecker works:

Shared libraries and dependencies assist with rapid development and convenience, but for every open-source shared library added to a server, a new risk is introduced. Relying on third-party libraries has its advantages, but the library developer must also keep their code patched to prevent exploits. Installing patches is the responsibility of the server administrator, and some administrators simply install patches and reboot all servers to ensure that they have the latest patches without the need to patch them individually based on out-of-date library scans.

Rebooting critical servers indiscriminately brings with it some revenue-impacting risks:

• Server downtime: The process of rebooting servers and resyncing services can take up to 15 minutes or more, which means services are unavailable to customers and employees. Many large enterprises have no tolerance for downtime. Even with a farm of servers behind a load balancer, taking too many servers out of rotation means risk of overloading available servers and causing performance degradation.
• Window of vulnerability: Because rebooting is such a risky and laborious responsibility, many administrators schedule reboots for specific dates. By delaying patches, a window of vulnerability is introduced where attackers with exploits ready for execution can take advantage of the delay. Risk is exponentially increased when security patches are released with exploit code.

One option is to patch servers manually and avoid a reboot, but library executable code can persist in memory even when it’s updated on disk. Typical vulnerability scanners don’t detect unpatched software when it’s updated on disk but not in memory.

Shared libraries are a widely targeted attack surface. Research suggests that OpenSSL is the most targeted software in the world, accounting for 19% of hostile activity globally. Organizations in all industries must ensure that they are promptly mitigating vulnerabilities to prevent exploitation. For OpenSSL and GNU C (glibc) vulnerabilities, this includes timely updates and patch management.

Together with KernelCare’s live patching service, organizations can more rapidly keep Linux servers patched with the latest security update keeping servers protected from exploits, data breaches, and compliance issues.