An exploitable bug sitting in a popular Linux kernel module, has been found after five years, researchers have claimed.
Detailing the findings in a blog post, researcher Samuel Page from cybersecurity firm Appgate said the flaw was a stack buffer overflow, found in the kernel networking module for the Transparent Inter-Process Communication (TIPC) protocol.
Page describes TIPC as an IPC mechanism designed for intra-cluster communication. “Cluster topology is managed around the concept of nodes and the links between these nodes,” he says.
Denial of service and code execution attacks
TIPC communications go over a “bearer”, a TIPC abstraction of a network interface. A “media” is a bearer type, with the protocol currently supporting Ethernet, Infiniband, UDP/IPv4 and UDP/IPv6.
The flaw allows the attacker to engage in a denial-of-service attacks and, sometimes, remote code execution.
“Exploitation is trivial and can lead to denial of service via kernel panic. In the absence, or bypass, of stack canaries/KASLR the vulnerability can lead to control flow hijacking with an arbitrary payload,” the blog says.
Those running versions 4.8 – 5.17-rc3 of the Linux kernel should make sure to patch to the latest version, as they’re vulnerable to the flaw. Those that are unable to patch their systems up immediately should enforce a configuration that prevents an attacker from impersonating a node in their clusters, for example by using TIPC-level encryption.
“The vulnerability lies in the fact that during the initial sanity checks, the function doesn’t check that member_cnt is below MAX_MON_DOMAIN which defines the maximum size of the members array. By pretending to be a peer node and establishing a link with the target, locally or remotely, we’re able to first submit a malicious domain record containing an arbitrary payload; so long as the len/member_cnt fields match up for the sanity checks, this will be kmallocated fine,” it is explained in the blog post.
“Next, we can send a newer domain record which will cause the previous malicious record to be memcpy’d into a 272 bytes local struct tipc_mon_domain &dom_bef triggering a stack overflow.”
But there are some caveats to the flaw, Page adds. The attacker is restricted by the TIPC media types that are set up on the target endpoint. “Locally, if the module is loaded, an attacker can use the underlying netlink communications to configure a bearer (credit to bl@sty for his work on CVE-2021-43267). They won’t, however, have permissions to send raw ethernet frames, leaving a UDP bearer the likely option,” the blog post concludes.
- You might also want to check out our list of the best firewalls right now