Researchers Discovered Security Defect in a Kernel Module With all Major Linux Distributions

Linux

Researchers have identified a security flaw in a kernel module that ships with all major Linux distributions, and they’re warning that remote attackers might use it to gain entire control of a susceptible system.

CVE-2021-43267 is a heap overflow in the TIPC (Transparent Inter-Process Communication) module, which is included with the Linux kernel and allows nodes in a cluster to communicate with each other in a fault-tolerant manner.

According to a warning from SentinelOne’s Max Van Amerongen, the security researcher who discovered — and helped fix — the underlying vulnerability, “the vulnerability can be exploited either locally or remotely within a network to gain kernel privileges, allowing an attacker to compromise the entire system.”
Using Microsoft’s CodeQL, an open-source semantic code analysis engine that helps ferret out security flaws at scale, Van Amerongen claimed he uncovered the fault almost by accident.

The weakness was discovered in the Linux kernel in September 2020, when a new user message type called MSG CRYPTO was implemented to allow peers to send cryptographic keys, according to him. Van Amerongen examined the code and discovered a “clear-cut kernel heap buffer overflow” that could be exploited remotely.

Although all major Linux distributions have the vulnerable TIPC module, it must be loaded in order to enable the protocol and trigger the vulnerability.

On October 29, the Linux Foundation released a patch that confirms the underlying vulnerability affects kernel versions 5.10 to 5.15.

SentinelOne stated on Thursday that it had not observed any evidence of abuse in the wild.

“This flaw can be exploited locally as well as remotely.” While local exploitation is easier due to more control over the objects allocated in the kernel heap, Van Amerongen points out that remote exploitation is possible thanks to the structures that TIPC provides.

Get into the Cyber Security Career now!

While TIPC isn’t loaded automatically by the system and must be enabled by end users, Van Amerongen believes the ability to configure it from an unprivileged local perspective, as well as the possibility of remote exploitation, “makes this a dangerous vulnerability” for those who use it in their networks.

TIPC customers should ensure that their Linux kernel version is not between 5.10-rc1 and 5.15, as this vulnerability was found within a year of its introduction into the codebase, he noted.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.