This tutorial explains what is UChecker and how to detect outdated shared libraries in memory with UChecker in Linux operating systems.
Table of Contents
Introduction
IT organizations that rely on Free and Open Source Software (FOSS) face a constant struggle in processing unpatched shared libraries. It’s a non-trivial issue, as shared libraries are a widely targeted attack surface. For example, research suggests that OpenSSL is the most targeted software in the world, accounting for 19% of hostile activity globally.
If you are responsible for OpenSSL and GNU C (glibc) libraries, among many comparable open source codesets, you are obligated to perform timely updates and patch management. The traditional approach to updating libraries involves rebooting the whole server or restarting all the processes if there is no way to identify which processes are still using the outdated libraries. System reboots cause complications and risks of their own, however. Thanks to KernelCare team, we can easily solve this problem with a simple script named UChecker.
What is UChecker
UChecker, short for Userspace Checker, is a free and open source scanner that identifies which of your processes are still using outdated libraries and need a restart. It was created during the development of live patching for shared libraries by KernelCare. With Uchecker, you can identify vulnerable FOSS libraries and patch them. You will have to reboot affected processes (unless you are using rebootless library update services), but by scanning for vulnerabilities, you can determine which processes need attention and which do not.
As a result, you avoid unnecessary server reboots that result in service degradations and/or outages as well as the creation of vulnerability windows as libraries stay unpatched until the reboot can be scheduled. Indeed, you may not even know which services use which libraries, so it’s tempting just to reboot the whole server to update them all or restart the main services. This practice, too, can be as disruptive as a reboot.
How UChecker works
Uchecker works with all modern Linux Distributions, starting from the 6th versions. It’s a free software, built with JSON and open to redistribution and/or modification under the terms of the GNU General Public License. Uchecker detects processes that use old (i.e. unpatched) shared libraries. It detects and reports not-up-to-date shared libraries that are being used by running processes. Its detection capabilities are based on BuildID comparison. As a result, they are aware of deleted or replaced files.
The following graphical illustration shows how Uchecker works.
The Uchecker tool is able to detect Process ID & Name as well as the names of shared libraries that are not patched, along with their build-ids. Uchecker gets the latest BuildIDs from KC resources. It then takes a running process by iterating over /proc/ and gets a linked share library from /proc/<pid>/maps. At that point, Uchecker asks if the shared library has not been replaced or deleted. Depending on the answer, the software will either parse ELF from the file system or parse ELF from mapped memory. Then, Uchecker gathers the BuildID from .note.gnu.build-id.
Detect outdated shared libraries in memory with UChecker
There is no installation required! Just run the Uchecker script to find the unpatched libraries in your Linux server:
# curl -s -L https://kernelcare.com/checker | pythonThe above command scan your Linux server systems for outdated shared libraries linked to the python processes and lists them in the standard output.
You can then update those unpatched libraries using your system's default package manager.
Watch the visual demonstration of how Uchecker works in the following video:
Conclusion
Uchecker enables you to keep your FOSS libraries patched and up to date. You can avoid the common hassle of having to reboot servers because you don’t know which processes need to be restarted. This is relevant for OpenSSL and GNU C (glibc) libraries, among others. With technologies like KernelCare+, it’s even possible now to conduct a live patch of vulnerabilities in essential user space libraries in addition to those in the Linux kernel. You can update applications without affecting their operational state. There are no restarts or reboots required.
Resource:
Related read:
