Researchers are raising awareness of a newly found security flaw in a kernel module included with all major Linux distributions, warning that remote attackers can exploit the flaw to gain total control of a susceptible machine.
CVE-2021-43267 is defined as a memory overflow in the TIPC (Transparent Inter-Process Communication) module, which ships with the Linux kernel and allows nodes in a cluster to interact with each other in a fault-tolerant manner. “The vulnerability may be abused either locally or remotely within a network to get kernel privileges, allowing an attacker to compromise the entire machine,” says SentinelOne’s Max Van Amerongen, the security researcher who discovered – and helped solve – the underlying flaw.
Van Amerongen claimed he found the hole almost by accident while using Microsoft’s CodeQL, an open-source semantic code analysis engine that aids in the detection of security flaws at scale.
According to him, the bug was introduced in the Linux kernel in September 2020, when a new user message type named MSG CRYPTO was implemented to allow peers to communicate cryptographic keys. Van Amerongen examined the code and discovered a “clear-cut kernel heap buffer overflow” with remote attack implications. Although the susceptible TIPC module is included in all major Linux distributions, it must be loaded in order for the protocol to be enabled for the vulnerability to be exploited.
On October 29, the Linux Foundation released a fix that confirms the underlying issue affects kernel versions 5.10 to 5.15. SentinelOne stated on Thursday that it has found no indication of in-the-wild exploitation.
“This vulnerability may be exploited locally as well as remotely.” While local exploitation is simpler due to more control over the objects created in the kernel heap, remote exploitation is possible because of the structures supported by TIPC,” Van Amerongen explains.
While TIPC is not automatically loaded by the system and must be enabled by end users, Van Amerongen claims that the ability to configure it from an unprivileged local perspective, as well as the possibility of remote exploitation, “makes this a dangerous vulnerability” for those who use it in their networks.
“Because this vulnerability was found within a year of its introduction into the codebase,” he continued, “TIPC users should ensure that their Linux kernel version is not between 5.10-rc1 and 5.15.”