Protecting Linux Devices from Shadow SUID exploitation – Feature Spotlight

Protecting Linux devices introduces different challenges to other endpoints – they are usually servers that must stay up by all means and cannot afford any disruption.  Linux devices also provide a highly attractive target for attacks as they often host more data than the average endpoint. Attackers are well aware of this fact.

Many people feel that Linux is as secure if not more so than most other major operating systems, but there are other voices, like the one presented here, which claims the most vulnerable operating system is actually Linux.

Here at SentinelOne, we know that enterprise security is only as strong as your weakest link. That’s why we invest in our Linux offering and continue to expand our ability to detect, protect, and respond to threats than can impact your business security. It is also why we’ve delivered the Shadow SUID protection feature we discuss today.

It all Starts with Root

Obtaining root privileges in Linux is the crown jewel for adversaries. Once accomplished, attackers will then try to secure their achievement and maintain those privileges. One vulnerability that attackers can exploit concerns the setuid (i.e. suid) mechanism.

What is SUID?

SUID stands for “Set User ID” and applies to what should happen when a file is executed. Ordinarily, binary files will execute according to the permissions of the user, but there are some cases when this isn’t practical. For example, the widely used “ping” command requires root privileges, but we don’t want every user who needs to use ping to become root. SUID solves this problem by setting permissions on the binary that allows ordinary users to execute ping as if they were a root user.

Shadow SUID Protection

That could be dangerous, but it’s a danger most sysadmins both know how to spot and how to stop. However, SentinelOne researcher Dor Dankner recently discovered how easy it is to exploit a little-known feature that allows any file to abuse SUID binaries and execute as root. Dor calls these files “Shadow SUIDs”, and his research (detailed here) proved not only that Shadow SUIDs are easy to create, but they are also extremely difficult for most sysadmins to detect or block. Given the risks, we knew this was something that had to be dealt with directly by the SentinelOne agent. Enter, Shadow SUID Protection.

Our Shadow SUID Protection plugs this privilege escalation in Linux OS and prevents an attacker using it to run a non-privileged binary with root privileges.

Learn more about how this Shadow SUID Protection came about

How to Get This Protection?

For our existing customers, this capability is supported starting in agent 2.6.4, which provides dedicated protection that prevents exploiting the SUID infrastructure to elevate privileges. If you’re not yet a SentinelOne customer, it’s easy to request a demo.