Most systems have a super-user, such as “root” or “administrator” which is permitted to bypass access controls, disable security features, and interact directly with system hardware. Administrator-level access is generally restricted by the operating system kernel, as well as by authentication mechanisms for the root user. As a result, many systems developers are led to believe that they just need to prevent users or attackers from gaining “root” level access on the system in order to be secure. Unfortunately this approach has continued to be proven insufficient in real world systems, most recently by the Mirai IoT botnet malware and the 9-year old kernel vulnerability (CVE-2016-5195).

As was demonstrated in the October 21st, 2016 IoT-based botnet attacks against the Internet infrastructure, many systems or devices are deployed with default or easily-guessable root or administrator passwords – enabling attackers to have easy, unfettered access to the system. Once a user (or attacker) has leveraged the vulnerability or passwords in order to elevate their privileges to root, they have full capabilities to inspect, copy, modify, and remove protected data, system configurations, and sensitive applications. Additionally, they can disable system protection mechanisms and install additional applications or services – malware which could be used to join a device to a botnet, attack other systems, or simply be used as a beachhead into additional systems.

In addition to weak administrator controls, vulnerabilities in the Linux kernel enable individuals or attackers with only limited system access to elevate their privileges and gain unauthorized root-level access to the system. The recent CVE-2016-5195 privilege escalation exploit has remained dormant in the kernel for more than 9 years, and allows any user to become root. Initial access to the system can be accomplished both locally and remotely, including: direct shell access as a non-privileged user, manipulation of existing software applications to manipulate control flow, or simply interaction with public services exposed by the system.

Star Lab’s LURE Linux hardening product is unique among security solutions in that it assumes an attacker already has root-level access, and continues to enforce comprehensive protection of sensitive applications, configurations, and data. LURE deprivileges even the root user, and enforces file and process access control policies – even if an attacker has executed a privilege escalation exploit in order to achieve administrator-level access. Furthermore, LURE prevents all system users from unauthorized inspection, modification, copying, or manipulation of protected applications and data. Finally, LURE, blocks unauthorized attempts to interact with select system hardware, such as raw access to flash devices, thereby removing attack vectors that could be used to introduce malware or bypass system protections. LURE’s offers a much needed ability to protect systems even from root-level attackers, and is clearly superior to the access-control solutions being employed today.
The following video demo shows LURE’s ability to protect systems from root-access and privilege escalation vulnerabilities such as CVE-2016-5195.

Contact Star Lab today for a hands-on demo of LURE, and find out how LURE can be used to protect your Linux-based systems and devices from privilege escalation vulnerabilities, and administrator-level attacks.