The state of Linux security in 2017

Linux security (2017 edition)

The year is closing, so it is time to review Linux security. Like last year, we look at the state of Linux security. A collection of the finest moments. Did we forget something important? Let us know in the comments. This post will remain updated in the upcoming weeks.

As this post may appear on HN, Reddit, Slashdot, and other high-traffic sites, this post is heavily cached. Comments may show up with some delay.

January: MongoDB, Debian encrypted folders, tcpdump, and data loss at Gitlab

MongoDB databases under attack worldwide

The problem with default passwords is that they don’t get changed too often. While this may look innocent during development, it becomes a serious issue if it happens in production. Many Internet-of-Things devices got their fair share of attention last years, now it is time for those who set up MongoDB and left things as-is.

Unlocking encrypted folders on Debian with just one character

Debian bug 852751 revealed a serious issue with Cryptkeeper, the encrypted folder manager. The issue? All encrypted folders using Cryptkeeper can all be unlocked with password ‘p’. This issue was caused by using the underlying EncFS component incorrectly.

Cryptkeeper itself seems to be unmaintained for a while. The issue was opened on GitHub, which did not get much response from the project owner. After almost 11 months, it is still open. Open source or not, unmaintained software is a serious risk.

CVE collection for tcpdump

The famous tcpdump tool, known for its command-line network traffic analyzer capabilities, got a serious review. At least 11 CVE numbers have been assigned in 2017. One of the lessons to learn: mature utilities like tcpdump may not be as secure as we like to think. service outage

We get to learn another lesson in the first month of the year: check your backups. The company GitLab experienced data loss and then learned their backup methods did not work. The related news article from The Register, uses a headline that says enough: “ melts down after wrong directory deleted, backups fail”.

Unfortunately, the related Google Docs document has been deleted. It showed a list of activities and actions to improve. GitLab is known to be open and they did a good job during the event. So for those who missed it, a copy would have been great.

February: Linux on the desktop, Android

Security issues with Linux on the desktop

During FOSDEM (Belgium), Hanno Böck shared some common weaknesses on the Linux desktop. These are related to the typical file extensions and media types you would likely see on a desktop system. Activities like watching images or movies, using icons, or listening to music. Parsers and plugins fail to be strict when dealing with data, resulting in some interesting flaws.

Android won: the most vulnerabilities

Android was the operating system that had the most security-related flaws in 2016. As it is based on Linux, it is no surprise that Debian and Ubuntu followed the mobile operating system with the second and third place.

April: BrickerBot, LinuxKit

Killing IoT devices before they become zombies

BrickerBot is a new piece of malware to specifically attack weak-configured devices with network capabilities. If access can be achieved, this malware will do several attempts to destroy the device by removing disk partitions and finally reboot the device. The goal is to ‘brick’ a device, making it useless. This way it can’t join a botnet and become another zombie sending out spam or play in a Distributed Denial of Service attack (DDoS). The author with the nickname “The Janitor” said in interviews that BrickerBot killed more than 10 million devices. Recently the author announced to stop his activities. One of the reasons is to prevent his identity getting revealed.

Building Linux systems securely

Although Docker did not invent the container technology, they are one of the driving forces regarding the adoption of containers. While they are busy getting more traction, they also found time to release a new project named LinuxKit. As the name implies, it is a kit. The idea is to make it possible creating portable, lean, and secure Linux subsystems.

May: sudo

Attack on sudo

Most Linux users will be familiar with sudo, the little tool to temporarily receive elevated privileges. Typically such utilities get reviewed for security flaws, as they are a good target to be exploited. It is interesting to note that still issues are found. With CVE number CVE-2017-1000367, an issue was discovered in the function get_process_ttyname(), resulting in revealing sensitive information.

June: Stack Clash, Cryptomining on Raspberry Pi

Clashing the stack

Qualys reports a discovered issue named Stack Clash. The stack, part of memory management for processes, is incorrectly handled on Linux and several BSD-based operating systems. The attack can still succeed, even with Linux “stack guard”, a defensive mechanism, in place.

Cryptomining on the Raspberry Pi

The Raspberry Pi is a wonderful multipurpose small device. But as always, patching is crucial. This time the malware dubbed Linux.MulDrop.14 is attacking the little devices. Surprisingly to get it work in bitcoin mining.

Related article:

  • Linux Malware Mines for Cryptocurrency Using Raspberry Pi Devices

July: systemd, CIA

0day is not a valid username for systemd

A lively discussion emerged on GitHub about if the username ‘0day’ is valid or not. Because it starts with a number, systemd decides the username is invalid. That might be annoying, but the issue was created as the actual task was performed with root permissions. The related CVE CVE-2017-1000082 was closed as ’notabug’. Yet another item on the list for the systemd opponents?

CIA hacking tool: Aeris

Ever heard about the Aeris tool? This CIA hacking tool became known to target portable Linux systems including CentOS, Debian, and others. With its goal to exfiltrate data via secured channels, it can be tricky to detect.

Related article:

  • Achilles, Aeris, and SeaPea Are 3 CIA Tools for Hacking Mac and POSIX Systems


Know of some relevant news about Linux security in this month? Share it in the comments.

September: Equifax, Linus, Optionsbleed, IoT, TLS, dnsmasq

Equifax suffers a serious breach due to outdated Apache Struts installation.

On a daily basis, companies and individuals see their data breached. But what if you never gave your data to a company, yet still one of your most sensitive information, your credit scores, are revealed? Research revealed that an unpatched installation of Apache Struts was used to get in. The Apache Software Foundation expressed their opinion.

Linus showing some love for security

A sudden surprise: Linus wants offensive security specialists to join in the development of the Linux kernel. He expressed this at the Open Source Summit. He wants skilled people to use their knowledge and help to improve the security of the kernel, including the use of fuzzing technology. At least a positive signal from the godfather of Linux.


Hanno Böck discovered a vulnerability in the Apache HTTP server software. It is a memory-leaking vulnerability that is similar to the OpenSSL Heartbleed bug (April 2014). For that reason, Böck named it Optionsbleed. The related CVE is CVE-2017-9798. Optionsbleed affects a relatively limited number of servers.

IoT devices attacked by Linux.ProxyM

Nothing new, but several sources report about weaknesses in the Internet-of-Things (IoT) devices. As these are typically running Linux and have internet connectivity, a single vulnerability is enough to make it part of a botnet. In this particular case, Linux.ProxyM infects the related devices. Then they are configured to send spam in small batches. Enough to be annoying, yet low enough to prevent easy tracking an infected device.

Linux 4.13 released with in-kernel TLS support

This new release of the kernel provides TLS support directly. This kTLS functionality will do mostly symmetric encryption, while more advanced functions will be kept external. Additional details can be found at an older post from LWN.

Poor dnsmasq

Now and then, a common library or toolkit is audited by researchers. It happens that a set of vulnerabilities are discovered, often there for years. This month the dnsmasq project had to deal with several vulnerabilities. As this project is used for DHCP and DNS on smaller networks, you can bet it is part of many systems and especially embedded decides like routers. Version 2.78 of dnsmasq was released on the 2nd of October. The related Proof-of-Concept scripts to exploit can be found at the GitHub repository of Google.

October: Ransomware, Linux Security Summit

Ransomware is coming to Linux

With ransomware being a common issue on systems running Windows, it looks like it won’t take long that Linux systems will join. On the Gentoo forums, a case of Linux ransomware was discussed. While the forum thread does not go into much depth on the specifics, we can still learn from it. The first lesson is not to run things as root, especially not a web browser. Nothing new there, but it looks like people still keep doing these things.

Linux Security Summit Summary

James Morris, a Linux kernel developer, wrote an extensive post about last month’s Linux Security Summit. A great resource to learn about some projects, like the CII badge program, TPM 2.0, and the ongoing kernel self-protection project.

Related links:

  • CII badge program
  • Kernel Self-Protection Project

November: USB, security people

USB “mess” storage

November is a bad month for everything related to Linux and USB. A list of at least 14 CVEs appeared on the oss-security list, with many being able to provide a denial-of-service. These issues were found by Google’s syzkaller, a kernel fuzzing tool. Apparently, this is just the tip of the iceberg.

Linus Torvalds: ‘I don’t trust security people to do sane things’

The creator of Linux is known for its opinions and he isn’t shy to share them. A lot of discussions emerged after Linus exploded based on a pull-request earlier by Kees Cook.

December: glibc, VLC audit

Memory leak and buffer overflow in glibc

The GNU C Library, glibc for short, had a buffer overflow (CVE-2017-1000409) in its dynamic loader ( At the same time a memory leak (CVE-2017-1000408).

VLC getting a budget for bug bounties

VLC, the popular media player, is getting a budget for bug bounties. This budget of 60.000 euros was made available by the Free and Open Source Software Audit (FOSSA) project. A great way to have people put their eyes on the source code of VLC and get rewarded for serious flaws in the program. Another interesting fact is that this bug bounty program is at the same time a proof of concept (PoC) for FOSSA-2.

In other news

Cool tools

During the year we found several existing and new tools:

  • Buttercup (password manager)
  • Decentraleyes (local CDN emulation for increased privacy)
  • Kube-Bench (security benchmark testing for Kubernetes)
  • Privacy Badger (browser privacy plugin)
  • Prowler (AWS CIS Benchmark Tool)
  • Radare2 (binary analysis)
  • (TLS/SSL configuration scanner)
  • Vault (storage of secrets)
  • vFeed (vulnerability database)
  • Vuls (agentless vulnerability scanner)

Learned at least one new tool from this list? The Linux Security Expert project has a new database with security tools. See the bottom of this post for more details about this project.

Some other interesting Twitter handles to follow for your daily dose of tools:

  • @HackwithGithub
  • @KitPloit
  • @ToolsWatch

Linux malware

Linux rootkits

Rootkits are one of the techniques to hide an intrusion and keep a persistent foothold in the system. Nothing new here. The number of new rootkits declined with several kernel improvements over the years. Yet sometimes a new rootkit shows up, like the Reptile LKM rootkit.

Ransomware and Linux

We had expected that this year ransomware would jump to Linux systems. While it makes sense to target the users with a below-average knowledge of computers, we think there might be a business in hijacking Linux servers. After all, creating ransomware for Linux is a trivial task. Most systems already have the required “toolkit” available to find files and encrypt them (find, openssl).

Some examples of Linux ransomware:

  • Bash Ransomware
  • CryptoTrooper

Web browsers

Linux sandboxing improvements in Firefox 57

Firefox is lately pushing on performance and security. With version 57 they include several improvements for Linux, like using seccomp. Seccomp can be used by developers to specify which system calls may be used.

Linux security experts

Want to learn who is active in the field of Linux security? Here are some experts to follow:

  • Binni Shah (@binitamshah) - Linux security and related topics
  • Diogo Mónica (@diogomonica) - Docker security
  • Dirk Wetter (@drwetter) - TLS, SIEM
  • Hanno Böck (@hanno) - security research
  • Jessie Frazelle (@jessfraz) - Linux security nerd at Microsoft (her words)
  • Justin Cormack (@justincormack) - Docker security and LinuxKit
  • Hal Pomeranz (@hal_pomeranz) - Linux security and training
  • Kees Cook (@kees_cook) - kernel hacker
  • Liz Rice (@lizrice) - container technology
  • Michael Boelen (@mboelen) - Linux security and auditing
  • Michał Zalewski (@lcamtuf) - security tools
  • Nathan McCauley (@nathanmccauley) - Docker security
  • NJ OUCHN (@toolswatch) - CVE
  • Thomas Graf (@tgraf__) - kernel development, networking, containers

Someone missing who does activities related to Linux security and is active on Twitter? Let us know in the comments.


This post has been made possible with the help of our community. This includes the readers of the Linux Audit blog, but also users of Lynis and customers of Lynis Enterprise. They keep us involved in their daily struggles to secure, test, and report on the health of their Linux systems. That brings me to the activities we did ourselves in 2017.

Lynis celebrates its 10 years anniversary

Many open source tools are abandoned after a few years of their inception. So it is a great pleasure to see when a tool reaches its 10th birthday and at the same time is still maintained. Lynis, the freely available security scanner for Linux, macOS, and other Unix-based systems is going strong.

Linux security library and training center

This year we started with a new resource named Linux Security Expert (or LSE). The website has the goal to bring tools, authors, and training together in one place. In the first phase of the project, we launched the security tools section, including a top 100 of the best security tools. This list is updated weekly and is based on a scored list of the tools. Healthy projects will find their way to the top, giving authors a reason to keep maintaining their favorite tools. Are you on Twitter, then follow @LSELabs for tool reviews and updates.

Thanks for tagging along and wishing you a good holiday season and a safe 2018.

Did you like this post? Share and spread the knowledge.


Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution.

Mastodon icon