Objective 2.3High Priority9 min read

Operating System Vulnerabilities

Security weaknesses at the operating system level including kernel vulnerabilities, privilege escalation paths, system misconfigurations, and exposed services. These vulnerabilities can lead to complete system compromise.

Understanding Operating System Vulnerabilities

Operating system vulnerabilities affect the core software that manages computer hardware and provides services to applications. Because the OS has the highest privileges on a system, OS vulnerabilities can lead to complete system compromise.

Key OS vulnerability categories:Kernel vulnerabilities — Flaws in the OS core • Privilege escalation — Gaining elevated permissions • Service vulnerabilities — Flaws in OS-provided services • Misconfigurations — Insecure default or manual settings

OS security is critical because compromising the OS gives attackers control over everything running on it.

Why This Matters for the Exam

OS vulnerabilities are fundamental to system security and tested throughout SY0-701. Understanding privilege escalation is especially important—it's how initial access becomes full compromise.

Patching OS vulnerabilities is a core security activity. Knowing why OS patches are critical helps prioritize security efforts.

The exam tests understanding of how OS vulnerabilities differ from application vulnerabilities and appropriate mitigations for each.

Deep Dive

Kernel Vulnerabilities

The kernel is the core of the operating system—vulnerabilities here are extremely serious.

What the Kernel Does:

  • Manages memory
  • Controls processes
  • Handles I/O
  • Enforces security boundaries
  • Provides system calls

Kernel Vulnerability Types:

TypeDescriptionImpact
Buffer overflowOverflow in kernel codeRoot/SYSTEM access
Use-after-freeUsing freed kernel memoryCode execution
Race conditionTiming flaws in kernelPrivilege escalation
Null pointerDereferencing null in kernelSystem crash or exploit

Kernel Exploitation:

  • Requires local access or remote kernel-level bug
  • Results in highest privilege (ring 0)
  • Can bypass all OS security controls
  • Often enables rootkit installation

Kernel Hardening:

  • Keep kernel updated
  • Enable kernel security features (KASLR, SMEP)
  • Minimize kernel modules
  • Use secure boot

Privilege Escalation

Gaining higher permissions than originally granted.

Privilege Escalation Types:

Vertical Escalation

  • User → Administrator/Root
  • Lower privilege → Higher privilege
  • The classic "become admin" attack

Horizontal Escalation

  • User A → User B (same privilege level)
  • Access another user's data/resources
  • Often overlooked but still serious

Common Escalation Methods:

MethodDescription
Kernel exploitsExploit kernel vulnerability for root
SUID/sudo abuseExploit setuid binaries or sudo rules
Service exploitsExploit service running as root
Credential theftFind stored passwords or tokens
MisconfigurationExploit weak permissions
DLL hijackingLoad malicious DLL in privileged process

Windows-Specific Escalation:

  • Token impersonation
  • Unquoted service paths
  • DLL search order hijacking
  • SeImpersonatePrivilege abuse

Linux-Specific Escalation:

  • SUID/SGID binaries
  • Cron job exploitation
  • Path injection
  • Capability abuse

System Service Vulnerabilities

OS services running with elevated privileges.

Vulnerable Service Categories:

  • Remote access (SSH, RDP, Telnet)
  • File sharing (SMB, NFS)
  • Print services
  • Management services
  • Authentication services

Service Vulnerability Examples:

  • EternalBlue (SMB vulnerability)
  • BlueKeep (RDP vulnerability)
  • Heartbleed (OpenSSL)

Service Security:

  • Disable unnecessary services
  • Keep services updated
  • Restrict service access
  • Use service-specific security settings
  • Run services with minimal privileges

OS Misconfigurations

Insecure settings that create vulnerabilities.

Common Misconfigurations:

MisconfigurationRisk
Weak file permissionsData exposure, escalation
Disabled security featuresReduced protection
Unnecessary services enabledExpanded attack surface
Default accounts activeEasy compromise
Missing patchesKnown vulnerabilities
Insecure authenticationCredential attacks

Configuration Hardening:

  • Follow security benchmarks (CIS)
  • Remove default accounts
  • Apply principle of least privilege
  • Enable security features (firewall, AV)
  • Audit configurations regularly

Unpatched Operating Systems

Systems missing security updates remain vulnerable.

Patch Importance:

  • Fixes known vulnerabilities
  • Closes exploitation windows
  • Required for compliance
  • Reduces attack surface

Patch Challenges:

  • Testing requirements
  • Downtime needed
  • Compatibility concerns
  • Volume of patches

How CompTIA Tests This

Example Analysis

Scenario: An attacker gains access to a Linux server through a web application vulnerability. They now have shell access as the "www-data" user. They discover that a backup script (/usr/local/bin/backup.sh) runs as root via cron and is world-writable.

Analysis - Privilege Escalation:

Attack Path: 1. Initial access as www-data (low-privilege web user) 2. Discover world-writable script that runs as root 3. Modify script to add malicious commands 4. Wait for cron to execute script 5. Malicious commands run as root

Exploitation: ```bash echo "cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash" >> /usr/local/bin/backup.sh ``` When cron runs the script as root, it creates a SUID bash shell.

Why This Works: • Misconfiguration: Script writable by non-root users • Dangerous pattern: World-writable script running as root • No privilege separation

Defenses: • Proper file permissions (root-owned, not writable by others) • Use absolute paths in scripts • Validate cron job permissions • Implement least privilege • Regular security audits

Key insight: Privilege escalation often chains small misconfigurations into full compromise.

Key Terms to Know

operating system vulnerabilitieskernel vulnerabilitiesprivilege escalationOS securitysystem misconfigurationlocal exploitsroot access

Common Mistakes to Avoid

Thinking privilege escalation requires exploits—misconfigurations alone often enable escalation. Weak permissions are as dangerous as code vulnerabilities.
Ignoring local attacks—many assume attackers need remote exploits. Local privilege escalation after initial access is extremely common.
Assuming patched means secure—patches fix known issues, but misconfigurations and new vulnerabilities remain. Hardening is also required.
Forgetting about services—OS services running as root/SYSTEM are prime escalation targets.

Exam Tips

Kernel vulnerabilities = Most serious OS flaws. Can bypass all security.
Vertical escalation = Lower to higher privilege (user → admin).
Horizontal escalation = Same privilege level, different user (user A → user B).
SUID/sudo misconfigurations = Common Linux privilege escalation.
Unquoted service paths and DLL hijacking = Common Windows escalation.
OS hardening + patching = Defense against OS vulnerabilities.

Memory Trick

"KPSM" - OS Vulnerability Categories

  • Kernel vulnerabilities (core OS flaws)
  • Privilege escalation (gain higher access)
  • Service vulnerabilities (running services)
  • Misconfigurations (insecure settings)
  • Escalation Direction:
  • Vertical = Very different privilege (up)
  • Horizontal = Hidden (same level, different user)
  • Linux Escalation Targets: "SSCCP"
  • SUID binaries
  • Sudo misconfig
  • Cron jobs
  • Capabilities
  • Path injection
  • Windows Escalation Targets: "TUDS"
  • Token impersonation
  • Unquoted service paths
  • DLL hijacking
  • Service exploits

Test Your Knowledge

Q1.An attacker with limited user access exploits a kernel vulnerability to gain root access. This is an example of:

Q2.What makes kernel vulnerabilities particularly dangerous compared to application vulnerabilities?

Q3.A Linux system has a cron job running a script as root, but the script is writable by regular users. What type of vulnerability is this?

Want more practice with instant AI feedback?

Practice with AI

Continue Learning

Application VulnerabilitiesMisconfiguration Vulnerabilities

Ready to test your knowledge?

Practice questions on operating system vulnerabilities and other Objective 2.3 concepts.

Start Practice
Web Application VulnerabilitiesHardware and Firmware Vulnerabilities