Baron SameEdit: Stopping the unstoppable (CVE-2021-3156)

By Archis Gore

One of the few non-controversial opinions in cybersecurity is that enabling any arbitrary user to get super-user privileges, without any caveats is a bad thing. This is a good training-wheels policy that anyone can grok and perhaps use as the base to all other policies – Mandatory Access Controls, SELinux and AppArmor, Group Policy, AI/ML based customized policies and what not.

Having a bug that bypasses such a foundational premise is arguably a bad thing. Said bug having existed since 2011 (for 9-ish years) is assuredly a worse thing. However, said security vulnerability having a, and I quote, “Workaround:None.”, is perhaps even worse (and not quite true.)

What I am describing is the latest in a long line of unstoppable cybersecurity vulnerabilities whimsically named Baron SameEdit (CVE-2021-3156). It’s kind of a big deal.

I’ll skip the typical buildup and get to the punchline upfront:

All Polyverse customers were impervious to this bug before either we (i.e. Polyverse), they (i.e. Customers) or anyone else (i.e. Security Researchers, patch creators, patch deployers, etc.) knew about the bug.

If you’re running Polymorphing on your systems you’re good. You’ve been good since August 2017, when the solution came into existence. If you would like to get on board, definitely reach out to us and we’re happy to help secure you preemptively against future zero-days.

With that out of the way I can now talk about the dichotomy between why the researchers at Qualis thought the bug had no workaround and why Polyverse users were preemptively safe without any workaround needed.

Why is the bug considered unstoppable?

When we think of stopping cybersecurity vulnerabilities, traditional security thinking falls into three categories, each of which relies on trusting that systems can be made perfect:

  1. Work around it (which as we’ve learned isn’t always possible)
  2. Stop every exploit by listing it explicitly in a list that you send to an enforcement program (such as an anti-malware or firewall). You can optionally make this list-generation somewhat easier through Quantum Blockchain Deep-Learning Big-Data Map-Reduce Artificial Intelligence Machine Learning.
  3. A related technique that is wholly ineffective for defensive purposes is to anomaly detection, i.e. “Something’s not right.” You can optionally use Quantum Blockchain Deep-Learning Big-Data Map-Reduce Artificial Intelligence Machine Learning for this as well.

What’s the root problem across all three? Your entire security posture relies on trusting a lot of things to be “perfect”: That the code you run has no vulnerabilities until a security scanner tells you suddenly that it does. That the scanners are oracles who know the Truth about vulnerabilities. That patching always works immediately and is perfect (it isn’t). The list goes on.

How Polyverse preemptively stopped an exploit that had no workarounds after the fact

Polyverse’s Zero Trust model works by assuming all bugs always exist in all systems rather than looking for them. This seemingly minor difference between us and most traditional security methodologies has massive implications on the results.

When we founded in April 2015 we began with this proposition:

“A buffer-overflow already exists. In grub, in the kernel, in the browsers, in the webservers, and in sudo, twice.”

And then we set out to solve: What can we do today, such that, on the day the bugs are eventually discovered we can guarantee any exploits written against them are either outright impossible or ridiculously difficult (‘difficulty’ in cryptographic terms).

We solved exactly that with our Polymorphing solution.

Do you want to protect your future?

In case you were wondering, we also protected our customers from Boothole before it was known, the previous sudo bug, and a whole host of others. You can get this Zero Trust protection too – with a single line install and within minutes.

We won’t email you about possibly-an-anomaly, nor will we ever send you desperate rule/signature updates, nor will there be any clever agent/daemon doing anything on your machines. The only email you get from us is a retroactive email telling you that you were always okay.

Interested in learning more?

Be the first to hear about the latest product releases and cybersecurity news.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.