Para acessar esta postagem em português, clique aqui.
Keeping systems up-to-date with the latest vulnerability patches is crucial for organizational security. New vulnerabilities are frequently discovered, increasing exposure to attacks. However, regarding a system’s main component—the kernel—such updates typically require a complete system reboot, which can reduce server uptime and potentially affect service quality. Additionally, in a kernel update provided by the vendor, there are often other modifications beyond vulnerability patches, which can alter system behavior unexpectedly. Fortunately, there is a technique for patching kernel vulnerabilities that avoids these negative impacts.
Linux Livepatch is the solution. This feature allows you to apply security updates and critical patches without rebooting or interrupting services. This makes your systems more secure and highly available 24/7, reducing risks and maximizing productivity. It also enables patching vulnerabilities unknown to the public and vendors, like vulnerabilities discovered by our research team. Next, we will provide further details to help you understand this solution.
Why update the kernel?
The kernel is the system’s core and provides abstractions that allow applications to use hardware correctly and securely. Therefore, if a vulnerability exists in the kernel, it can be exploited to compromise the entire system.
In compartmentalized environments, such as Docker or virtualization platforms, kernel vulnerabilities can jeopardize the security of all server users. Proper kernel maintenance is essential to reduce the attack surface and lower the chances of a potential compromise.
Dificulties in keeping the kernel up to date
Even though organizations clearly understand the need to constantly update the kernel with necessary security patches, some obstacles prevent them from performing this task.
The main challenge is that updating the kernel requires a system reboot, which isn’t always possible frequently. Another important issue is that updating the kernel carries a significant risk that the system may not function as expected afterward. Regressions are common and often attributable to the kernel itself. The feature kernel livepatch addresses these issues.
What is livepatch?
Kernel Livepatch (KLP) is a mechanism provided by the kernel that enables system administrators and developers to modify the behavior of kernel functions without requiring a reboot or a complete kernel update.
This feature allows vulnerability patches to be applied without affecting service availability, overcoming barriers that typically hinder such tasks. To use it, the administrator must have kernel-level knowledge to code a module that provides the necessary fix for the system. This feature also allows for independent vulnerability patching without relying on the vendor. This is especially useful when a known vulnerability has yet to be patched, enabling organizations to implement fixes proactively before the vendor’s release. We specialize in this approach.
Count on us
Our research team’s primary area of expertise is the kernel. We conduct vulnerability research, identifying and exploring issues known and unknown to the public and system vendors. Through our consulting services, we offer our expertise to help keep your Linux systems secure against advanced threats.
Count on Allele Security Intelligence to assist your organization in enhancing system security. Below, we demonstrate in videos the exploit for CVE-2024-1086 on a vulnerable Ubuntu 22.04 system and present the vulnerability fix on the same system using a live patch.
After applying the fix via livepatch, we demonstrate that the exploit no longer works, securing the system without needing a full kernel update.
The vulnerability demonstrated in the video, CVE-2024-1086, was a critical vulnerability recently discovered in the Linux kernel that allowed privilege escalation and complete system compromise. It affected multiple distributions, and a reliable exploit is publicly available, making it easier for less experienced threat actors to use it. Our services provide the high-level security needed to protect you against attacks. We also offer protection for legacy systems that vendors no longer support.
Livepatch limitations
As valuable as the kernel livepatching technique is, it still has some limitations. Due to its functionality, it doesn’t allow for patching all kernel functions. The compiler optimizes some functions, making some unmodifiable via a live patch. Other limitations arise when the fix involves changes to the function’s signature or data structure modifications. However, many vulnerabilities can still be patched via live patches.
Additionally, depending on the vulnerability to be fixed, creating a live patch module can be a complex task. In these cases, it is crucial that this activity is performed by individuals with advanced kernel expertise to ensure system security and correct functionality.
Conclusion
The kernel livepatch feature, offered through our consulting service, is ideal for clients who must keep systems protected against advanced threat actors. With our exclusive expertise, we also provide Linux server hardening services. Request a free assessment of your systems and discover the improvements you can make to reduce the attack surface and minimize the risk of compromise by threat actors.