Expert found a critical remote code execution bug in Linux Kernel

Pierluigi Paganini November 04, 2021

A critical heap-overflow vulnerability, tracked as CVE-2021-43267, in Linux Kernel can allow remote attackers to takeover vulnerable installs.

A SentinelOne researcher discovered a critical remote code execution vulnerability, tracked as CVE-2021-43267, resides in the Transparent Inter Process Communication (TIPC) module of the Linux kernel.

The flaw is a critical heap-overflow issue that could lead to remote code execution and full system compromise.

TIPC (Transparent Inter Process Communication) is a protocol that is specially designed for intra-cluster communication in Linux environments. It can be configured to transmit messages either on UDP or directly across Ethernet.

Since September 2020, the protocol supports a new user message type called MSG_CRYPTO, which allows peers to send cryptographic keys. These keys allow decrypting communications from the node that sent them.

The researcher noticed that the Header Size and the Message Size are both validated against the actual packet size, but he pointed out the lack of checks for either the keylen member of the MSG_CRYPTO message or the size of the key algorithm name itself (TIPC_AEAD_ALG_NAME) against the message size. An attacker can create a packet with a small body size to allocate heap memory, and then can write outside the bounds of the memory space allocated by using an arbitrary size in the keylen attribute.

Linux Kernel RCE

“As for the data being overwritten, at first glance it may look like the overflow will have uncontrolled data, since the actual message size used to allocate the heap location is verified.” reds the post published by SentinelOne. “However, a second look at the message validation function shows that it only checks that the message size in the header is within the bounds of the actual packet. That means that an attacker could create a 20 byte packet and set the message size to 10 bytes without failing the check:

if (unlikely(skb->len < msz))
    return false;

The vulnerability affects Linux kernel versions between 5.10 and 5.15.

SentinelLabs researcher Max Van Amerongen, who discovered the flaw, also discussed a patch idea with one person from the Linux Foundation and one of the TIPC maintainers.

Linux users should apply the patch which implements the missing checks to the process that allows triggering the flaw.

SentinelLabs initially reported the flaw to the team on October 19, 2021, and the patch was included under 5.15 on October 31, 2021

“The vulnerability research that SentinelLabs conducts allows us to protect users on a global scale by identifying and fixing vulnerabilities before malicious actors do. In the case of TIPC, the vulnerability was caught within a year of its introduction into the codebase. While TIPC itself isn’t loaded automatically by the system but by end users, the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation makes this a dangerous vulnerability for those that use it in their networks.” concludes the expert. “What is more concerning is that an attacker that exploits this vulnerability could execute arbitrary code within the kernel, leading to a complete compromise of the system.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Linux Kernel)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment