Linux Foundation Fixes ‘Dangerous’ Code Execution Kernel Bug

Researchers are calling attention to a newly discovered security defect in a kernel module that ships with all major Linux distributions, warning that remote attackers can exploit the bug to take complete control of a vulnerable system.

The vulnerability — CVE-2021-43267 — is described as a heap overflow in the TIPC (Transparent Inter-Process Communication) module that ships with the Linux kernel to allow nodes in a cluster to communicate with each other in a fault-tolerant way.

“The vulnerability can be exploited either locally or remotely within a network to gain kernel privileges, allowing an attacker to compromise the entire system,” according to a warning from SentinelOne’s Max Van Amerongen, the security researcher who found — and helped fix — the underlying vulnerability.

Van Amerongen said he discovered the bug almost by accident using Microsoft’s CodeQL, an open-source semantic code analysis engine that helps ferret out security defects at scale.

[ READ: Google Triples Bounty for Linux Kernel Exploitation ]

He said the flaw was introduced in the Linux kernel in September 2020 when a new user message type called MSG_CRYPTO was added to allow peers to send cryptographic keys. Looking at the code, Van Amerongen found a “clear-cut kernel heap buffer overflow” with remote exploit implications.

Although the vulnerable TIPC module comes with all major Linux distributions, it needs to be loaded in order to enable the protocol and trigger the vulnerability.

The Linux foundation shipped a patch on October 29 and confirmed the underlying vulnerability affects kernel versions between 5.10 and 5.15.

SentinelOne said Thursday it had not seen evidence of in-the-wild abuse.

“This vulnerability can be exploited both locally and remotely. While local exploitation is easier due to greater control over the objects allocated in the kernel heap, remote exploitation can be achieved thanks to the structures that TIPC supports,” Van Amerongen notes. 

While TIPC itself isn’t loaded automatically by the system and has to be enabled by end users, Van Amerongen said the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation “makes this a dangerous vulnerability” for those that use it in their networks

“As this vulnerability was discovered within a year of its introduction into the codebase, TIPC users should ensure that their Linux kernel version is not between 5.10-rc1 and 5.15,” he added. 

Related: GitHub Announces General Availability of Code Scanning Feature

Related: Google Triples Bounty for Linux Kernel Exploitation

Related: GitHub Discloses Details of Easy-to-Exploit Linux Vulnerability