Researchers have identified a security flaw in a kernel module that ships with all major Linux distributions, and they’re warning that remote attackers might use it to gain entire control of a susceptible system.
CVE-2021-43267 is a heap overflow in the TIPC (Transparent Inter-Process Communication) module, which is included with the Linux kernel and allows nodes in a cluster to communicate with each other in a fault-tolerant manner.
According to a warning from SentinelOne’s Max Van Amerongen, the security researcher who discovered — and helped fix — the underlying vulnerability, “the vulnerability can be exploited either locally or remotely within a network to gain kernel privileges, allowing an attacker to compromise the entire system.”
Using Microsoft’s CodeQL, an open-source semantic code analysis engine that helps ferret out security flaws at scale, Van Amerongen claimed he uncovered the fault almost by accident.
The weakness was discovered in the Linux kernel in September 2020, when a new user message type called MSG CRYPTO was implemented to allow peers to send cryptographic keys, according to him. Van Amerongen examined the code and discovered a “clear-cut kernel heap buffer overflow” that could be exploited remotely.
Although all major Linux distributions have the vulnerable TIPC module, it must be loaded in order to enable the protocol and trigger the vulnerability.
On October 29, the Linux Foundation released a patch that confirms the underlying vulnerability affects kernel versions 5.10 to 5.15.
SentinelOne stated on Thursday that it had not observed any evidence of abuse in the wild.
“This flaw can be exploited locally as well as remotely.” While local exploitation is easier due to more control over the objects allocated in the kernel heap, Van Amerongen points out that remote exploitation is possible thanks to the structures that TIPC provides.
While TIPC isn’t loaded automatically by the system and must be enabled by end users, Van Amerongen believes the ability to configure it from an unprivileged local perspective, as well as the possibility of remote exploitation, “makes this a dangerous vulnerability” for those who use it in their networks.
TIPC customers should ensure that their Linux kernel version is not between 5.10-rc1 and 5.15, as this vulnerability was found within a year of its introduction into the codebase, he noted.