How to Upgrade An Unsupported OS: An In-depth Checklist

Cyber threats come and go, but some threats leave a lasting imprint due to their impact. Think of Spectre and the closely related Meltdown, for example, two of the most widely covered vulnerabilities in recent memory.

It is of course frustrating when a cyber threat simply refuses to go away, and even worse when it is a highly prominent vulnerability. That’s turning out to be the case with Spectre, one of the most dangerous exploits of recent times. While patched systems are protected against Spectre, the nature of Spectre patches and the resulting impact on performance means that a large number of systems have not been patched..

The discovery of a new Linux kernel vulnerability is not a major surprise in its own right. It happens all the time. However, sometimes it appears as if, whenever a security researcher goes looking, the researcher discovers a new, serious vulnerability in the Linux kernel – and that it happens just too often for comfort.

This February, a new vulnerability was reported in a relatively obscure corner of the Linux kernel – in a function that facilitates communications between virtual machine host and guest. Though just discovered, it is already listed as CVE-2021-26708.

In this article we outline the vulnerability, explain how it emerged, and point to the potential risks the new vulnerability holds.

A new week, a new vulnerability announced. This time, it affects kernels starting from version 5.5-rc1 (November 2019) up 5.10.13 (February 2021).

This vulnerability is an improperly handled race condition in the AF_VSOCK implementation, a kernel facility available to unprivileged users that is shipped as a kernel module in all major distributions.

Very recently a new vulnerability of the Linux Kernel was announced. It has been assigned CVE-2021-3347, and is (yet another) futex-related vulnerability.

A new vulnerability (CVE-2020-16166) in pseudo random number generator (PRNG) was found by Amit Klein, vice president of security research at SafeBreach and a security researcher at Israel’s Bar-Ilan University.

The vulnerability opens the door to Cross-Layer Attacks, a new hacking technique that raises a risk of DNS cache poisoning and that can enable the unauthorized identification and tracking of Linux and Android devices.

KernelCare patches for Debian 10, Debian 8, Oracle Linux UEK 5 and 6, Ubuntu 18.04, 20.04 are already available. Patches for RHEL 8 & Oracle Linux UEK 4 will be released early next week.

Big news from the OpenSSL team - they issued the fix for a new CVE-2020-1971 that causes servers’ disruptions via x509v3 certificate fields. The good news is that it cannot result in data theft; however, it has the ability to shut down your servers and paralyse the company’s operation flows. OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support, have not been checked and with high probability will not be addressed by the vendor. 

Right now, the KernelCare Team is doing a delicate work of porting the vendor's 1.1.1 patches to v.1.1.0 and enriching it with the live patching technology. The rebootless patches for both supported and unsupported versions of OpenSSL will be delivered in 24 hours for CentOS6, and 7 with the patches for the rest supported distributions released later this week.

Sad DNS (Side-channel AttackeD DNS) is a vulnerability that was disclosed by academics from the University of California and Tsinghua University, at the ACM Conference on Computer and Communications Security CCS 2020. The vulnerability was assigned to CVE-2020-25705. It affects distributions starting from the 7th v.o. (i.e. RHEL6 is not affected, as its kernel doesn’t include ICMP responses throttling feature yet). KernelCare patches will be released shortly. The newly academic discovery lets a malicious actor poison the cache of a DNS server and thus potentially redirect user traffic to sites or services hosting undesired or dangerous content. 

On November 10, 2020, a team of academic researchers found a bug in Intel CPU architecture that allowed them to extract sensitive information from the processor such as encryption keys. Researchers named the vulnerability Power Leakage Attacks: Targeting Your Protected User Secrets (PLATYPUS) for the Platypus’ ability to detect electrical current with its bill. By monitoring power consumption, researchers were able to determine data being processed via the Running Average Power Limit (RAPL) interface. No instances of an exploit in the wild have been reported, but Intel released a microcode update that should be applied to any servers and devices using the processor. No patches are needed, as it was with Zombieload or Spectre & Meltdown.

Google security researchers recently found a flaw in the way the Linux kernel’s Bluetooth implementation handled L2CAP packets with A2MP CID.  A remote attacker in range could use this flaw to crash a targeted system causing a denial-of-service or potentially execute arbitrary code on the system by sending a specially crafted L2CAP packet. All Linux distributions are affected, but the exploit is only possible if you have devices connected via Bluetooth to your infrastructure.

With the Linux open-source community, you have the power of developers adding to its codebase improving features and performance. The downside to this approach is that hackers also have access to source code and any vulnerabilities that they find can be used against Linux-based devices including critical servers. Known vulnerabilities are reported to a centralized NIST vulnerability database where vendors, developers, and users can be aware of exploits that affect specific software versions. A Common Vulnerabilities and Exposures (CVE) report is your cue to patch software including the Linux kernel when an issue is found. Note: Not every Linux patch gets a CVE, but you can stay up-to-date with latest updates on kernel.org.