Thursday 6th April 2023
BLOG: Patching The Reserved – Highly Exploitable Kernel Bugs in Purgatory
Written by Femke Bolle & Alex Ashby
The CVE release and NVD CVSS severity scoring processes have well-established latency issues, with CVEs sometimes taking months to be published and scored. This presents a significant threat to any vulnerability management strategy reliant on the NVD and MITRE.
To demonstrate, we review a number of recent kernel vulnerabilities in various Linux and Mac OS which have a high >94% CVE Wild Prediction (CWP). CWP is a machine learning project that combines numerous strands of evidence about whether a CVE is likely to be exploited by malicious actors and provides a probability of exploit.
Why are kernel vulnerabilities interesting?
The Linux kernel is the core component of the operating system, and any vulnerabilities in the kernel could allow an attacker to gain elevated privileges. For example, a buffer overflow in a kernel module could allow an attacker to execute arbitrary code with root privileges.
A privilege escalation vulnerability is a security weakness that allows an attacker to gain higher privileges on a system than they are authorized to have. In Linux, a user can, if they have the correct permission, use the inbuilt Sudo command to execute commands with elevated privileges; these vulnerabilities allow an attacker to achieve a similar outcome.
Privilege escalation is typically used after initial exploitation, perhaps by an external webservice vulnerability running at a level lower privilege level, or following execution of malicious code delivered by phishing or via a malicious web pages.
Once execution is carried out, the attacker may use escalation of privilege to gain root access to carry out their ultimate objectives: installing further software, exfiltrating data or running ransomware code.
On the 5th of April 2023 we pulled the following data:
The CWP for all these is >94%, reflecting a very high probability of exploit (99th percentile amongst all extant CVEs).
NVD and MITRE: The Waiting Game
CVE-2022-2588, CVE-2022-2602 and CVE-2022-3328 are all listed on the MITRE site as reserved but undescribed. MITRE allow CVE Numbering Authorities (CNAs) to reserve blocks of CVEs, which are subsequently assigned to specific software vulnerabilities throughout the year. For example:
Screenshot from cve.mitre.org taken on 2023-04-05
Consequently, the NVD haven’t assigned a Common Vulnerability Severity Score (CVSS). The CVSS score from NVD is the most frequently used severity score used in patch prioritisation systems and vulnerability management products. It is also used by a number of probability of exploit models. In cases where MITRE fail to release the vulnerability from reserved, the NVD also fails to assign a CVSS and a number of models simply fail to assign a probability of exploit or a severity score.
Linux kernel vulnerabilities impact a very large number of distros and products and so the number of vendors who need to patch is huge. This seems to make the timely release of the CVE from the Mitre ‘Reserved’ state dependent on the slowest patch or notification, leading to huge delays even when proactive vendors such as Redhat and Ubuntu patch rapidly.
Another way in which vulnerabilities can end up without an NVD-assigned CVSS is if there is some appeal or review (often from the vendor) These reviews can further delay the release, leaving NVD-dependent patch prioritisation models again awaiting CVSS scores that are dangerously slow.
Screenshot from nvd.nist.gov/vuln/detail/CVE-2023-0179 on 2023-04-05
Zooming in on CVE-2023-0179
CVE-2023-0179 is a vulnerability in the Netfilter subsystem in the Linux Kernel. Netfilter performs packet filtering, network address translation, and port translation, needed for directing packets through a network and critically in security tooling prohibiting packets from reaching protected or denied locations within a network. It is a fundamental component in many Linux security tools and an attacker would know that a malicious packet was going to be exposed to the Netfilter subsystem if it was in use.
Here’s how the CVE was tracked within our system:
Given the risks, well-captured by a CWP of 97%, a system owner should be urgently patching, but the NVD/MITRE delayed publishing by 73 days.
You can read the PoC and vulnerability description here:
Working faster and smarter
The CWP doesn’t rely upon NVD or Mitre release, and starts scoring vulnerabilities as soon as a vendor or MITRE declares them, often providing scores within minutes of release. This speed is critical to aid patching, especially with out of band vulnerabilities which many Linux kernel vulnerabilities are.
In addition to its speed, the CWP model ranks CVEs that are later confirmed as exploited above non-exploited CVEs 94% of the time a month before exploitation is confirmed, and 91% 6 months before.
Patching the top 5% of extant CVEs captures 85% of the CVEs that will be confirmed as exploited in the next 30 days.
The CWP provides world class speed, completeness and predictive accuracy as a vulnerability management model, allowing organisations to patch the most serious risks rather that needlessly wasting valuable time on low-risk vulnerabilities.
To find out more, click here