📦 Detect obsolete shared libraries in memory with UChecker

This tutorial explains what UChecker is and how to detect obsolete in-memory shared libraries using UChecker on Linux operating systems.

Introduction

IT organizations that rely on free and open source software (FOSS) face an ongoing challenge when handling insecure shared libraries.

This is not a trivial problem, since shared libraries are the target of attacks.

For example, research shows OpenSSL is the most targeted software in the world, accounting for 19% of hostile activity worldwide – https://hello.global.ntt/en-us/insights/2020-global-threat-intelligence- report

If you use the OpenSSL and GNU C (glibc) libraries among many comparable open source packages, it is your responsibility to keep up to date and manage patches in a timely manner. The traditional approach to updating libraries is to reboot the entire server, or restart all processes if there is no way to determine which processes are still using outdated libraries. However, system reboots in themselves cause complications and risks. Thanks to the KernelCare team, we can easily solve this problem with a simple script called UChecker.

What is UChecker

UChecker, short for Userspace Checker, is a free and open source scanner that detects which of your processes are still using outdated libraries and need to be restarted.

The tool was created by KernelCare during live patching development for shared libraries.

With Uchecker, you can identify vulnerable FOSS libraries and fix them.

You will have to reboot the affected processes (unless you are using the library update services without rebooting), but by scanning for vulnerabilities, you can determine which processes need attention and which do not.

As a result, you avoid unnecessary server reboots that lead to degraded service and / or crashes, as well as creating access vulnerabilities, since libraries are left unpatched until a reboot is scheduled.

In fact, you may not even know which services are using which libraries, so it is tempting to just reboot the server to update everything, or restart the core services.

This practice, too, can be as devastating as rebooting.

How UChecker works

Uchecker works with all modern Linux distributions starting from version 6.

It is free JSON software that is open for distribution and / or modification under the terms of the GNU General Public License.

Uchecker detects processes that are using old (i.e. unpatched) shared libraries.

It detects and reports outdated libraries that are being used by running processes.

Its detection capabilities are based on BuildID comparisons.

As a result, the tool knows about deleted or replaced files.

The Uchecker tool can determine the process ID and name, as well as the names of the shared libraries that are not patched, as well as their build IDs.

Uchecker gets the latest BuildIDs from KC resources.

It then starts the process by iterating over / proc / and gets the associated shared library from / proc / / maps.

At this point, Uchecker asks if the shared library has been replaced or removed.

Depending on the answer, the program will either parse ELF from the file system or parse ELF from mapped memory.

Uchecker then collects the BuildID from the .note.gnu.build-id.

Detecting outdated in-memory libraries with UChecker

No installation required!

Just run the Uchecker script to find the unpatched libraries on your Linux server:

# curl -s -L https://kernelcare.com/checker | python

The above command will scan your Linux server systems for obsolete shared libraries related to python processes and print them to standard output.

📦 Detect obsolete shared libraries in memory with UChecker

Conclusion

Uchecker allows you to update your FOSS libraries.

You can avoid the usual hassle of rebooting servers because you don’t know which processes need to be restarted.

This is true for the OpenSSL and GNU C (glibc) libraries, among others.

Thanks to technologies such as KernelCare +, it is now even possible to hot fix vulnerabilities in core user space libraries in addition to the Linux kernel libraries.

You can update apps without affecting their working state.

No restarts or reboots required.

Download script:

https://github.com/cloudlinux/kcare-uchecker

Sidebar