RHEL / CentOS 6.x (64-bit) Malicious Kernel Module Detection (OutlawCountry)

high Nessus Plugin ID 101166

Synopsis

A malicious kernel module is potentially installed on the remote Linux host.

Description

According to diagnostic indicators, the remote Red Hat Enterprise Linux or CentOS host may have a malicious kernel module known as OutlawCountry installed. OutlawCountry creates a hidden netfilter table that allows an authenticated attacker to covertly override existing netfilter/iptables firewall rules.

Note that only RHEL and CentOS 6.x operating systems running kernel version 2.6.32 (64-bit) are reportedly affected. OutlawCountry was disclosed on 2017/06/30 by WikiLeaks as part of their ongoing 'Vault 7' series of leaks.

Solution

Refer to the referenced Red Hat solution article.

See Also

https://access.redhat.com/solutions/3099221

Plugin Details

Severity: High

ID: 101166

File Name: outlaw_country.nasl

Version: 1.5

Type: local

Family: Misc.

Published: 6/30/2017

Updated: 11/27/2023

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/o:redhat:enterprise_linux, cpe:/o:centos:centos

Required KB Items: Host/local_checks_enabled

Vulnerability Publication Date: 6/30/2017