Vulnerability in Linux Kernel

Sicherheit (Pexels, allgemeine Nutzung)[German]There is a vulnerability in the kernel of all popular Linux distributions that researchers from SentinelLabs made public a few days ago. A TIPC module in all common Linux distributions can be exploited by heap overflow attacks that can lead to a system takeover. Attackers can compromise the entire system as a result. However, a patch is available for most distributions.


Advertising

Security researchers at SentinelLabs, the research division of SentinelOne, have discovered a heap overflow vulnerability in the TIPC module of the kernel of Linux operating systems. The vulnerability can be exploited either locally or remotely within a network to gain kernel privileges. The vulnerable TIPC module is included in all major Linux distributions, but must be loaded by the user to enable the protocol. 

By exploiting the vulnerability, attackers can compromise the entire system, which can lead to serious consequences. An update patch was released on October 29 that fixes the issue and is applied to kernel versions between 5.10rc-1 and 5.15. MITRE lists the vulnerability as CVE-2021-43267

Exploitation of the TIPC protocol

Transparent Inter-Process Communication (TIPC) is a protocol that allows nodes in a cluster to communicate efficiently while remaining fault tolerant. The protocol is implemented in a kernel module that is included in all major Linux distributions. When loaded by a user, it can be used as a socket and configured as an unprivileged user on an interface with netlink (or with the userspace tool tipc, which makes these netlink calls).

In September 2020, a new user message type called MSG_CRYPTO was introduced that allows sending and exchanging cryptographic keys, which is the origin of the vulnerability. The ability to configure starting from an unprivileged local level and the risk of remote exploitation make this an extremely dangerous vulnerability for anyone deploying affected systems on their networks. Of particular concern is that an attacker exploiting this vulnerability could execute arbitrary code within the kernel, resulting in complete compromise of the system by outsiders.

Disclosure and countermeasures

On Oct. 19, SentinelLabs proactively reported the findings. The security researchers, in collaboration with the Linux Foundation and one of the TIPC maintainers, created a patch that has been available since Oct. 29 and is already present in current Linux versions (after 5.15) since Oct. 31 that fixes the issue.


Advertising

Since the vulnerability was discovered within a year of its introduction into the code base, TIPC users should check if their Linux kernel version is between 5.10-rc1 and 5.15 and update if necessary. At this time, SentinelOne has not discovered any evidence of successful exploits of the protocol by cybercriminals.

More technical details about the vulnerability and information on how to fix the problem can be found in the SentinelLabs report.


Advertising

This entry was posted in Linux, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).