[German]There is a vulnerability in the kernel of all popular Linux distributions that researchers from SentinelLabs made public a few days ago. A TIPC module in all common Linux distributions can be exploited by heap overflow attacks that can lead to a system takeover. Attackers can compromise the entire system as a result. However, a patch is available for most distributions.
Security researchers at SentinelLabs, the research division of SentinelOne, have discovered a heap overflow vulnerability in the TIPC module of the kernel of Linux operating systems. The vulnerability can be exploited either locally or remotely within a network to gain kernel privileges. The vulnerable TIPC module is included in all major Linux distributions, but must be loaded by the user to enable the protocol.
By exploiting the vulnerability, attackers can compromise the entire system, which can lead to serious consequences. An update patch was released on October 29 that fixes the issue and is applied to kernel versions between 5.10rc-1 and 5.15. MITRE lists the vulnerability as CVE-2021-43267.
Exploitation of the TIPC protocol
Transparent Inter-Process Communication (TIPC) is a protocol that allows nodes in a cluster to communicate efficiently while remaining fault tolerant. The protocol is implemented in a kernel module that is included in all major Linux distributions. When loaded by a user, it can be used as a socket and configured as an unprivileged user on an interface with netlink (or with the userspace tool tipc, which makes these netlink calls).
In September 2020, a new user message type called MSG_CRYPTO was introduced that allows sending and exchanging cryptographic keys, which is the origin of the vulnerability. The ability to configure starting from an unprivileged local level and the risk of remote exploitation make this an extremely dangerous vulnerability for anyone deploying affected systems on their networks. Of particular concern is that an attacker exploiting this vulnerability could execute arbitrary code within the kernel, resulting in complete compromise of the system by outsiders.
Disclosure and countermeasures
On Oct. 19, SentinelLabs proactively reported the findings. The security researchers, in collaboration with the Linux Foundation and one of the TIPC maintainers, created a patch that has been available since Oct. 29 and is already present in current Linux versions (after 5.15) since Oct. 31 that fixes the issue.
Since the vulnerability was discovered within a year of its introduction into the code base, TIPC users should check if their Linux kernel version is between 5.10-rc1 and 5.15 and update if necessary. At this time, SentinelOne has not discovered any evidence of successful exploits of the protocol by cybercriminals.
More technical details about the vulnerability and information on how to fix the problem can be found in the SentinelLabs report.
Cookies helps to fund this blog: Cookie settings