Detect Linux Kernel Integer Overflow in create_elf_tables (CVE-2018-14634) in Google Chronicle
CVE-2018-14634 is an integer overflow vulnerability in the Linux kernel's create_elf_tables() function, triggered during process execution via the execve syscall. A local unprivileged attacker can exploit this flaw to achieve privilege escalation to root by crafting a binary with an extremely large argument list. This vulnerability exists in Linux kernel versions 2.6.x through 4.14.x and is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
- Tactic
- Privilege Escalation
YARA-L Detection Query
rule cve_2018_14634_linux_privesc {
meta:
author = "df00tech"
description = "Detects potential CVE-2018-14634 exploitation: integer overflow in create_elf_tables leading to local privilege escalation"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://www.cve.org/CVERecord?id=CVE-2018-14634"
events:
$execve.metadata.event_type = "PROCESS_LAUNCH"
$execve.principal.user.userid != "root"
$execve.principal.user.userid != ""
$execve.target.process.command_line != ""
($execve.target.process.file.full_path = /.*\/sh$/ or
$execve.target.process.file.full_path = /.*\/bash$/ or
$execve.target.process.file.full_path = /.*\/python.*/)
$setuid.metadata.event_type = "PROCESS_LAUNCH"
$setuid.principal.user.userid = "root"
$setuid.principal.hostname = $execve.principal.hostname
$execve.metadata.event_timestamp.seconds <= $setuid.metadata.event_timestamp.seconds
$setuid.metadata.event_timestamp.seconds - $execve.metadata.event_timestamp.seconds <= 300
condition:
$execve and $setuid
}Chronicle YARA-L rule detecting CVE-2018-14634 exploitation by correlating non-root shell process launches with subsequent root-level process creation on the same host within 5 minutes, indicative of local privilege escalation via kernel integer overflow.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate sudo or su usage by authorized administrators
- setuid-bit binaries executed by non-root users for intended functionality
- Containerized workloads with complex user namespace transitions
- Automated deployment scripts that require brief privilege escalation
Other platforms for CVE-2018-14634
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Large Argument execve Invocation
Expected signal: Auditd logs an execve syscall record with an unusually large a1 or args array. Process creation event logged with high argument count.
- Test 2Check for Vulnerable Kernel Version
Expected signal: Process execution of uname and package manager commands logged via auditd or endpoint telemetry.
- Test 3Exploit Binary Drop and Execute Simulation (Lab Only)
Expected signal: File creation in /tmp, chmod syscall, bash script execution, and id command execution all logged via auditd. File write to /tmp from a non-root user.
Unlock Pro Content
Get the full detection package for CVE-2018-14634 including response playbook, investigation guide, and atomic red team tests.