Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Linux Foundation Fixes ‘Dangerous’ Code Execution Kernel Bug

Researchers are calling attention to a newly discovered security defect in a kernel module that ships with all major Linux distributions, warning that remote attackers can exploit the bug to take complete control of a vulnerable system.

Researchers are calling attention to a newly discovered security defect in a kernel module that ships with all major Linux distributions, warning that remote attackers can exploit the bug to take complete control of a vulnerable system.

The vulnerability — CVE-2021-43267 — is described as a heap overflow in the TIPC (Transparent Inter-Process Communication) module that ships with the Linux kernel to allow nodes in a cluster to communicate with each other in a fault-tolerant way.

“The vulnerability can be exploited either locally or remotely within a network to gain kernel privileges, allowing an attacker to compromise the entire system,” according to a warning from SentinelOne’s Max Van Amerongen, the security researcher who found — and helped fix — the underlying vulnerability.

Van Amerongen said he discovered the bug almost by accident using Microsoft’s CodeQL, an open-source semantic code analysis engine that helps ferret out security defects at scale.

[ READ: Google Triples Bounty for Linux Kernel Exploitation ]

He said the flaw was introduced in the Linux kernel in September 2020 when a new user message type called MSG_CRYPTO was added to allow peers to send cryptographic keys. Looking at the code, Van Amerongen found a “clear-cut kernel heap buffer overflow” with remote exploit implications.

Although the vulnerable TIPC module comes with all major Linux distributions, it needs to be loaded in order to enable the protocol and trigger the vulnerability.

The Linux foundation shipped a patch on October 29 and confirmed the underlying vulnerability affects kernel versions between 5.10 and 5.15.

Advertisement. Scroll to continue reading.

SentinelOne said Thursday it had not seen evidence of in-the-wild abuse.

“This vulnerability can be exploited both locally and remotely. While local exploitation is easier due to greater control over the objects allocated in the kernel heap, remote exploitation can be achieved thanks to the structures that TIPC supports,” Van Amerongen notes. 

While TIPC itself isn’t loaded automatically by the system and has to be enabled by end users, Van Amerongen said the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation “makes this a dangerous vulnerability” for those that use it in their networks

“As this vulnerability was discovered within a year of its introduction into the codebase, TIPC users should ensure that their Linux kernel version is not between 5.10-rc1 and 5.15,” he added. 

Related: GitHub Announces General Availability of Code Scanning Feature

Related: Google Triples Bounty for Linux Kernel Exploitation

Related: GitHub Discloses Details of Easy-to-Exploit Linux Vulnerability

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.