I'm concerned about the OutlawCountry exploit

Solution Verified - Updated -

Environment

Red Hat Enterprise Linux 6 and derivatives running 64-bit kernel version 2.6.32
Red Hat Enterprise Linux 5 and 7 are not impacted

Issue

  • I've read on the internet that Red Hat products may be vulnerable to an exploit detailed within a recent Wikileaks article.
  • What details can you share about the OutlawCountry exploit?

Resolution

Take action

This issue is currently under investigation. For the meantime, end-users can look for the existence of the following file:

File Name Size MD5
nf_table_6_64.ko 9672 2CB8954A3E683477AA5A084964D4665D

When the module is loaded a hidden table named "dpxvke8h18" can be found within the iptable rules.

Part of the attack documentation described a cleanup process to remove these traces from the system after the attack had concluded their operations.

It is recommended that systems found with indicators of compromise should follow their organizational practices for Incident Response and react accordingly.

References

https://www.rt.com/viral/394631-cia-wikileaks-linux-surveillance/

Root Cause

OutlawCountry is a kernel module that creates a hidden netfilter table on a Red Hat Enterprise Linux 6.x or CentOS 6.x system. Using this table, an attacker could alter system configurations and override existing firewall rules.

This attack is described only to work with default 64-bit 2.6.32 kernel versions in the 6.x product family of Red Hat Enterprise Linux and its derivatives.

An attacker must already have shell access to a system to carry out this exploit. Root privileges are required to load a kernel module that is not already installed.

The 1.0 version of this exploit is documented to only support adding covert DNAT rules to the PREROUTING chain within iptables.

Diagnostic Steps

To determine if this kernel module is loaded use the lsmod command:

$ lsmod | grep nf_table

In addition, Red Hat Insights is able to detect systems that are affected by this particular malware.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.