Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Linux Foundation Fixes ‘Dangerous’ Code Execution Kernel Bug

Researchers are calling attention to a newly discovered security defect in a kernel module that ships with all major Linux distributions, warning that remote attackers can exploit the bug to take complete control of a vulnerable system.

Researchers are calling attention to a newly discovered security defect in a kernel module that ships with all major Linux distributions, warning that remote attackers can exploit the bug to take complete control of a vulnerable system.

The vulnerability — CVE-2021-43267 — is described as a heap overflow in the TIPC (Transparent Inter-Process Communication) module that ships with the Linux kernel to allow nodes in a cluster to communicate with each other in a fault-tolerant way.

“The vulnerability can be exploited either locally or remotely within a network to gain kernel privileges, allowing an attacker to compromise the entire system,” according to a warning from SentinelOne’s Max Van Amerongen, the security researcher who found — and helped fix — the underlying vulnerability.

Van Amerongen said he discovered the bug almost by accident using Microsoft’s CodeQL, an open-source semantic code analysis engine that helps ferret out security defects at scale.

[ READ: Google Triples Bounty for Linux Kernel Exploitation ]

He said the flaw was introduced in the Linux kernel in September 2020 when a new user message type called MSG_CRYPTO was added to allow peers to send cryptographic keys. Looking at the code, Van Amerongen found a “clear-cut kernel heap buffer overflow” with remote exploit implications.

Advertisement. Scroll to continue reading.

Although the vulnerable TIPC module comes with all major Linux distributions, it needs to be loaded in order to enable the protocol and trigger the vulnerability.

The Linux foundation shipped a patch on October 29 and confirmed the underlying vulnerability affects kernel versions between 5.10 and 5.15.

SentinelOne said Thursday it had not seen evidence of in-the-wild abuse.

“This vulnerability can be exploited both locally and remotely. While local exploitation is easier due to greater control over the objects allocated in the kernel heap, remote exploitation can be achieved thanks to the structures that TIPC supports,” Van Amerongen notes. 

While TIPC itself isn’t loaded automatically by the system and has to be enabled by end users, Van Amerongen said the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation “makes this a dangerous vulnerability” for those that use it in their networks

“As this vulnerability was discovered within a year of its introduction into the codebase, TIPC users should ensure that their Linux kernel version is not between 5.10-rc1 and 5.15,” he added. 

Related: GitHub Announces General Availability of Code Scanning Feature

Related: Google Triples Bounty for Linux Kernel Exploitation

Related: GitHub Discloses Details of Easy-to-Exploit Linux Vulnerability

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.