Do you use Linux at work? Then watch out for several vulnerabilities plaguing the most popular OS used across web servers, cloud environments, and IoT implementations. Enterprise clouds are also being targeted via older Linux distributions to get access to the rich compute resources for cryptocurrency mining.
Linux implementations have been known for their high reliability when it comes to process management, efficiency, uptime, and most importantly security. But they also have a shelf life and as different Linux distributions become dated, they become increasingly inconsistent with the present-day security requirements.
At least that’s what Trend Micro notes in their Linux Threat Report for H1 2021.
This doesn’t mean Linux, a highly esteemed operating system used on 100% of the top 500Opens a new window supercomputers, 50.5% of the top 1,000Opens a new window global websites, 96.3% of theOpens a new window top one million web servers, and 90% of public cloudOpens a new window workloads, is not susceptible to threats.
At the same time, it also doesn’t mean it is impervious to all modern-day threats. Trend Micro used Censys’ search engine to discover that 14 million such devicesOpens a new window are connected to the internet and susceptible to online threats. These Linux devices are exposed due to their exposed port 22, which is used for Secure Shell (SSHOpens a new window ) communication. Data from Shodan is even more concerning with 19 million devices having this port exposed.
An exposed port 22 is basically an invitation to carry out malicious activities including but not limited to botnet-driven brute-force attacks. It is noteworthy that the most instances (over 5.2 million out of 19) of exposed Linux systems are Ubuntu, a linux distribution most popular with beginners considering its ease-of-use, stability and its large app repository.
This is one of the major reasons why different distributions play a role in delivering a computing environment conducive to top-notch security. But before that, let us take a look at the most-used Linux distributions.
Linux Distributions
The following pie chart represents the most used Linux distro for enterprise use cases.
Linux Distributions Protected by Trend Micro Cloud One | Source: Trend MicroOpens a new window
The support provided by Linux vendors is key for enterprise adoption. This is why maintenance, consistent updates are the hallmarks of adoption of a particular distribution.
Linux has two layers: the kernel and the shell. Kernel is well-designed, protected, and with very few shortcomings. It serves as the basis of several or all Linux distributions. The kernel enables developers to build an interactive interface, which is completely different from any existing ones. This is known as the shell.
What differentiates a Linux distribution from the other is the shell layer built on top of the kernel. Developers have the flexibility to design the OS as they wish. The only limitation is the technical prowess of the developer. This is the reason why different Linux distributions are found with different vulnerabilities.
In essence, the kernel may be highly secure which in most cases is true. However, the distribution an enterprise is leveraging may not be. Relevant updates and consistent modernization is what makes a Linux distro reliable and secure for large-scale use cases such as a running enterprise cloud workloads.
See Also: Is Linux as Secure as We Think?
Vulnerabilities in Linux
Trend Micro assessed 50 million events from H1 2021, generated on 100,000 unique Linux hosts. The company found 200 different vulnerabilities:
|
Top Vulnerabilities With Known Exploits or Proofs of Concept |
CVE | CVSS Score Version 3 | Severity |
| Apache Struts2 remote code execution (RCE) vulnerability | CVE-2017-5638Opens a new window | 10 |
Critical |
|
Apache Struts 2 REST plugin XStream RCE vulnerability |
CVE-2017-9805Opens a new window | 8.1 | High |
| Drupal Core RCE vulnerability | CVE-2018-7600Opens a new window | 9.8 |
Critical |
|
Oracle WebLogic server RCE vulnerabilities |
CVE-2020-14750Opens a new window | 9.8 | Critical |
| WordPress file manager plugin RCE vulnerability | CVE-2020-25213Opens a new window | 9.8 |
Critical |
|
vBulletin ‘subwidgetConfig’ unauthenticated RCE vulnerability |
CVE-2020-17496Opens a new window | 9.8 | Critical |
| SaltStack salt authorization weakness vulnerability | CVE-2020-11651Opens a new window | 9.8 |
Critical |
|
Apache Struts OGNL expression RCE vulnerability |
CVE-2017-12611Opens a new window | 9.8 | Critical |
| Eclipse Jetty chunk length parsing integer overflow vulnerability | CVE-2017-7657Opens a new window | 9.8 |
Critical |
|
Alibaba Nacos AuthFilter authentication bypass vulnerability |
CVE-2021-29441Opens a new window | 9.8 | Critical |
| Atlassian Jira information disclosure vulnerability | CVE-2020-14179Opens a new window | 5.3 |
Medium |
|
Nginx crafted URI string handling access restriction bypass vulnerability |
CVE-2013-4547Opens a new window | NA | N/A |
| Apache Struts 2 RCE vulnerability | CVE-2019-0230Opens a new window | 9.8 |
Critical |
|
Apache Struts OGNL expression RCE vulnerability |
CVE-2018-11776Opens a new window | 8.1 | High |
| Liferay portal untrusted deserialization vulnerability | CVE-2020-7961Opens a new window | 9.8 |
Critical |
Top Application Targets through Known Vulnerabilities on Linux | Source: Trend Micro
Linux Malware
Trend Micro found that coinminers or cryptocurrency mining malware are the most prevalent in Linux. Coinminers are those malicious programs that illicitly leverage or abuse computing resources such as the CPU and GPU hardware to mine cryptocurrencies such as Bitcoin, Ethereum, Monero, etc.
Victims of coinminer infection often notice system lags, crashes, increased power consumption, overheating and other issues. Coinminers essentially hijack compute resources of the target. Trend Micro said coinmining on Linux is especially attractive to cybercriminals particularly due to the use of Linux on more than a significant chunk of Linux-based cloud environments.
It also has something to do with the recent hype around cryptocurrency (Bitcoin in particular) reaching new heights. Trend Micro’s Magno Logan and Pawan Kinger wrote, “Given that the cloud holds a seemingly endless amount of computing power, hackers have a clear motive in stealing computing resources to run their cryptocurrency mining activities.â€
Web shells came in second. It is a malicious code that attackers drop on the target system, first to access, and later to continue to maintain that access on a web server. Usually written in web development programming languages (PHP, ASP), web shells also allow remote code execution besides illegal access.
Web shell-driven remote code execution enables attackers to steal data from the servers, and even leverage the server as a staging ground for additional malice such as lateral movement, deployment of additional payloads, etc. Web shells are necessarily the entry point of attacks against an individual or an organization. Given 19 million Linux systems were found to have port 22 exposed, this certainly is a cause for concern.
Top Five Malware Types on Linux | Source: Trend Micro
Ransomware and Trojans also pose significant threats to Linux systems.
|
Malware Type Affecting Linux |
Prevalent Malware Family |
|
Coinminers |
|
|
Web shells |
|
|
Ransomware |
|
|
Trojans |
|
The four Linux distros that were found with the most malware families are:
- CentOS – 50.8%
- CloudLinux Server – 31.24%
- Ubuntu Server – 9.56%
- Red Hat Enterprise Linux Server – 2.73%
OWASP vs Non-OWASP Linux Threats
Open Web Application Security Project or OWASP is a non-profit foundation responsible for the upkeep of tool and knowledge repositories for web application security. The foundation tracks all the attack vectors through which an attacker can try to infiltrate a system.
“The major attack types on Web-based applications have remained constant over the recent past. That, combined with the rising time-to-fix and declining remediation rates, makes the hackers’ job easier,†vice president of strategy at NTT Application Security Setu KulkarniOpens a new window told Security MagazineOpens a new window . “The need of the hour is to focus on testing applications in production, figuring out what your organization’s top 3-5 vulnerability types are, launch a targeted campaign address these top vulnerabilities, rinse and repeat.â€Â
Linux Threats That Come Under the Purview of OWASP
|
OWASP Linux Threat |
Description | % Share |
| SQL injection | A web security threat wherein an attacker can insert queries in a web application interfere with the normal execution |
27.13% |
|
Command injection |
Executing arbitrary commands on a host OS through a web application vulnerability |
23.16% |
|
XSS |
A code-injection weakness wherein malicious scripts are injected into trusted websites | 21.38% |
| Insecure deserialization | Untrusted data is used to misuse the application logic to cause denial of service (DoS) or arbitrary code execution |
17.51% |
|
XML external entity |
Involves exploitation of web app support for XML external entities, and processing of XML inputs | 6.13% |
| Broken authentication | Impersonation of legitimate users online by bypassing or capturing authentication |
4.24% |
Top Linux Threats That Do Not Come Under the Purview of OWASP
|
Non-OWASP Linux Threat |
Description | % Share |
| Brute force attacks | Submission of several credentials with hopes to crack it with one. Involves a great degree of trial and error |
38.03% |
|
Directory traversal |
Allows an attacker to read arbitrary files on the server, even restricted directories | 20.93% |
| Request smuggling | Involves interference with the processing of requests between the front end and back end servers |
3.35% |
Closing Thoughts
Trend Micro’s report is a testament to the fact that Linux may not be completely invulnerable, after all. Bear in mind that this isn’t necessarily because of the OS itself. Rather, it is about the approach taken to implement any of the several iterations of the open source OS for a particular activity or use case.
And more than Linux itself, cloud environments of organizations pose a certain challenge in terms of the expertise to fully leverage, govern and control them. The cloud-Linux intersection looks like a good place to start the evaluation of the security posture.
The report also covers container, supply chain vulnerabilities.
Let us know if you enjoyed reading this story on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!