Nov 7, 2021
80 Views
0 0

Critical Linux Kernel Bug Allows Remote Takeover

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
The bug (CVE-2021-43267) exists in a TIPC message type that allows Linux nodes to send cryptographic keys to each other.
A critical heap-overflow security vulnerability in the Transparent Inter Process Communication (TIPC) module of the Linux kernel could allow local exploitation and remote code execution, leading to full system compromise.
TIPC is a peer-to-peer protocol used by nodes within a Linux cluster to communicate with each other in an optimized way; it enables various types of messages that are used for different purposes. According to SentinelOne’s SentinelLabs, the bug in question (CVE-2021-43267) specifically resides in a message type that allows nodes to send cryptographic keys to each other. When received, the keys can be used to decrypt further communications from the sending node.
“When loaded by a user, [TIPC] can be used as a socket and can be configured on an interface…as an unprivileged user,” explained SentinelLabs researcher Max Van Amerongen, in a Thursday posting. “All message construction and parsing is performed in the kernel.” This makes it an ideal target for attack, he said.

As for the heap overflow: When it comes to that message construction, every TIPC message has a common header format. According to the researcher, that common header contains a “header size” allocation, which is the actual header size shifted to the right by two bits; and a “message size” allocation that is equal to the length of the entire TIPC message. These two sizes are validated by the tipc_msg_validate function, he said.
“The message size is correctly validated as greater than the header size, the payload size is validated against the maximum user message size, and the message size is validated against the actual received packet length,” Van Amerongen said – so far, so good. However, a new message type was introduced in September 2020 that lacks such size validations, opening the door to a heap-overflow exploit.
The additional message type, “MSG_CRYPTO,” allows peers to send cryptographic keys to each other, as mentioned. The messages contain the name of the key algorithm and the key itself, according to the analysis. The size allocation for this is the message size itself, minus the header size.
However, “there are no [size-validation] checks for either the [key length] or the size of the key algorithm name itself (TIPC_AEAD_ALG_NAME) against the message size,” the researcher explained. “This means that an attacker can create a packet with a small body size to allocate heap memory, and then use an arbitrary size in the [key length (keylen)] attribute to write outside the bounds of this location.”
Also, the message-validation function only checks that the message size in the header is within the bounds of the actual packet: “That means that an attacker could create a 20-byte packet and set the message size to 10 bytes without failing the check,” Van Amerongen added.
The bug affects Linux kernel versions between 5.10 and 5.15. It should be noted that while the TIPC module comes with all major Linux distributions, it’s not “on” by default and does need to be enabled in order for an implementation to be vulnerable to attack.
To protect themselves, affected Linux users should apply the just-released patch, which adds appropriate size-verification checks to the process.
The stakes are significant, the researcher warned: “While TIPC itself isn’t loaded automatically by the system but by end users, the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation makes this a dangerous vulnerability for those that use it in their networks,” warned Van Amerongen. “What is more concerning is that an attacker that exploits this vulnerability could execute arbitrary code within the kernel, leading to a complete compromise of the system.”
Linux kernel bugs aren’t that common, but they do crop up occasionally. For instance, in April, an information-disclosure vulnerability (CVE-2020-28588) was reported that could be exploited to expose information in the kernel stack memory of vulnerable ARM devices.
Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Brought to you by Specops.
Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at becky.bracken@threatpost.com.
Share this article:
CISA is urging vendors to patch, given the release of public exploit code & a proof of concept tool for bugs that open billions of devices – phones, PCs, toys, etc. – to DoS & code execution.
NSO Group plans to fight the trade ban, saying it’s “dismayed” and clinging to the mantra that its tools actually help to prevent terrorism and crime.
The banker, aka Metamorfo, is roaring back after Spanish police arrested more than a dozen gang members.



This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
The @FBI has seen an uptick in attacks against tribal casinos, with the #ransomware groups Bitpaymer, Conti, Cuba,… https://t.co/9aL0HRLNsn
21 hours ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities

Comments are closed.