System call filtering

These system call filters are installed to prevent the ability to execute system calls related to forking as a defense mechanism against arbitrary code execution attacks on Elasticsearch .

What is "system calls related to forking" and why is it relevant for defense mechanism?

On Linux, the four filtered syscalls are fork(), vfork(), execve() and execveat():

Many remote code execution exploits work by executing a very small amount of code within the vulnerable process in order to start a separate process, normally a shell that's exposed to the network. This new process then allows much broader access to the rest of the system, opening the door to further vulnerabilities that are perhaps not remotely exploitable. If the syscalls that would be needed to start this separate process are blocked then this common exploit technique is not possible.

This is all somewhat theoretical right now since there are no known vulnerabilities, but Elasticsearch has these protections in place just in case one is discovered in the future.

1 Like

What does vulnerable process refer to in your reply? The Elasticsearch process?
And how to execute a very small amount of code within the process remotely?

What I said applies to syscall filters in general, and was not specifically about Elasticsearch. However, the syscall filters in Elasticsearch are there to protect the Elasticsearch process.

There is no known way to do this.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.