Experts found three new 15-year-old bugs in a Linux kernel module

Three 15-year-old flaws in Linux kernel could be exploited by local attackers with basic user privileges to gain root privileges on vulnerable Linux systems.

GRIMM researchers found three vulnerabilities in the SCSI (Small Computer System Interface) component of the Linux kernel, the issues could be exploited by local attackers with basic user privileges to gain root privileges on unpatched Linux systems.

The Small Computer Systems Interface defined both a parallel I/O bus and a data protocol to connect a wide variety of peripherals (disk drives, tape drives, modems, printers, scanners, optical drives, test equipment, and medical devices) to a host computer.

The flaws were present in the component since it was being developed in 2006.

The first vulnerability, tracked as CVE-2021-27365, is a heap buffer overflow in the iSCSI subsystem. 

“The vulnerability is triggered by setting an iSCSI string attribute to a value larger than one page, and then trying to read it.” reads the analysis published by GRIMM researchers. “More specifically, an unprivileged user can send netlink messages to the iSCSI subsystem (in drivers/scsi/scsi_transport_iscsi.c) which sets attributes related to the iSCSI connection, such as hostname, username, etc, via the helper functions in drivers/scsi/libiscsi.c. These attributes are only limited in size by the maximum length of a netlink message (either 232 or 216 depending on the specific code processing the message).”

The second vulnerability, tracked as CVE-2021-27363, is a heap overflow vulnerability. The researchers discovered a kernel pointer leak that can be used to determine the address of the iscsi_transport structure. 

The last flaw, tracked as CVE-2021-27364, is an out-of-bounds kernel read issue that resides in the libiscsi module (drivers/scsi/libiscsi.c).

“Similar to the first vulnerability, an unprivileged user can craft netlink messages that specify buffer sizes that the driver fails to validate, causing a controllable out-of-bounds read.” continues the analysis. “There are multiple user-controlled values that are not validated, including the calculation of the size of the preceding header, allowing for a read of up to 8192 bytes at a controllable 32-bit offset from the original heap buffer.”

The three vulnerabilities can also lead to data leaks and could be exploited to trigger denial of service conditions.

“Due to the non-deterministic nature of heap overflows, the first vulnerability could be used as an unreliable, local DoS. However, when combined with an information leak, this vulnerability can be further exploited as a LPE that allows an attacker to escalate from an unprivileged user account to root. A separate information leak is not necessary, though, since this vulnerability can be used to leak kernel memory as well.” continues the analysis. “The second vulnerability (kernel pointer leak) is less impactful and could only serve as a potential information leak. Similarly, the third vulnerability (out-of-bounds read) is also limited to functioning as a potential information leak or even an unreliable local DoS.”

Attackers could exploit the vulnerabilities to bypass the security features Kernel Address Space Layout Randomization (KASLR) bypass, Supervisor Mode Execution Protection (SMEP), Supervisor Mode Access Prevention (SMAP), and Kernel Page-Table Isolation (KPTI). 

The flaws affect all Linux distributions where the scsi_transport_iscsi kernel module has been loaded, but the good news is that this isn’t a default setting.

“The vulnerabilities discussed above are from a very old driver in the Linux kernel. This driver became more visible due to a fairly new technology (RDMA) and default behavior based on compatibility instead of risk.” concludes the analysis. “The Linux kernel loads modules either because new hardware is detected or because a kernel function detects that a module is missing.”

Below the timeline for these flaws:

• 02/17/2021 – Notified Linux Security Team
• 02/17/2021 – Applied for and received CVE numbers
• 03/07/2021 – Patches became available in mainline Linux kernel
• 03/12/2021 – Public disclosure (NotQuite0DayFriday)

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)

[adrotate banner=”5″]

[adrotate banner=”13″]