I'm concerned about the OutlawCountry exploit
Environment
Red Hat Enterprise Linux 6 and derivatives running 64-bit kernel version 2.6.32
Red Hat Enterprise Linux 5 and 7 are not impacted
Issue
- I've read on the internet that Red Hat products may be vulnerable to an exploit detailed within a recent Wikileaks article.
- What details can you share about the OutlawCountry exploit?
Resolution
Take action
This issue is currently under investigation. For the meantime, end-users can look for the existence of the following file:
| File Name | Size | MD5 |
|---|---|---|
| nf_table_6_64.ko | 9672 | 2CB8954A3E683477AA5A084964D4665D |
When the module is loaded a hidden table named "dpxvke8h18" can be found within the iptable rules.
Part of the attack documentation described a cleanup process to remove these traces from the system after the attack had concluded their operations.
It is recommended that systems found with indicators of compromise should follow their organizational practices for Incident Response and react accordingly.
References
https://www.rt.com/viral/394631-cia-wikileaks-linux-surveillance/
Root Cause
OutlawCountry is a kernel module that creates a hidden netfilter table on a Red Hat Enterprise Linux 6.x or CentOS 6.x system. Using this table, an attacker could alter system configurations and override existing firewall rules.
This attack is described only to work with default 64-bit 2.6.32 kernel versions in the 6.x product family of Red Hat Enterprise Linux and its derivatives.
An attacker must already have shell access to a system to carry out this exploit. Root privileges are required to load a kernel module that is not already installed.
The 1.0 version of this exploit is documented to only support adding covert DNAT rules to the PREROUTING chain within iptables.
Diagnostic Steps
To determine if this kernel module is loaded use the lsmod command:
$ lsmod | grep nf_table
In addition, Red Hat Insights is able to detect systems that are affected by this particular malware.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments