Cybersecurity researchers have helped fix a critical heap-overflow security vulnerability in the Linux kernel that could be exploited either locally or through remote code execution (RCE) to compromise the vulnerable Linux computers.
Discovered by SentinelLabs’ researcher Max Van Amerongen, the vulnerability tracked as CVE-2021-43267 exists in the Transparent Inter Process Communication (TIPC) module of the kernel, specifically in a message type that allows nodes to send cryptographic keys to each other.
“This vulnerability can be exploited both locally and remotely. While local exploitation is easier due to greater control over the objects allocated in the kernel heap, remote exploitation can be achieved thanks to the structures that TIPC supports,” notes Amerongen.
Since the affected message type is relatively new, the bug only exists in kernel releases between v5.10 and v5.15.
Caught within an year
The researcher explains that the vulnerable message type, called MSG_CRYPTO, was introduced in September 2020, for exchanging cryptographic keys.
However, Amerongen discovered that while the message type made various allocations for transferring the keys, it failed to check and validate some of them.
This oversight could, for instance, enable an attacker to create a packet with a small body size to first allocate heap memory, and then use an arbitrary size in an unchecked attribute to write outside the bounds of this location, explains Amerongen.
Perhaps the one saving grace that has ensured that the vulnerability hasn’t been exploited in the wild is that while the TIPC module comes with all major Linux distros, it’s not enabled by default, which it needs to be for the attackers to exploit.
In any case, a patch has been released that adds appropriate size-verification checks to the process, which has already been added to the mainline Linux 5.15 Long Term Support (LTS) release.
