Some time ago, sudo was exposed to a vulnerability that allows root privilege escalation without a password, causing an uproar, and many companies have patched overnight to avoid losses. FreeBuf also reported on it accordingly, “Can You Get Root Privileges Without a Password?” sudo was exposed to a new vulnerability”.
The turmoil has not passed long. Recently, Linux was once again exposed to the root privilege escalation vulnerability, and this time the vulnerability has been lurking for 15 years!
Researchers have discovered three vulnerabilities in the Linux kernel’s iSCSI (Small Computer System Interface) subsystem that could allow a local attacker with basic user privileges to gain root privileges on an unpatched Linux system.
iSCSI (Small Computer System Interface) defines a parallel I/O bus and data protocol for connecting various peripheral devices (disk drives, tape drives, modems, printers, scanners, optical drives, test equipment, and medical equipment) to a host computer .
However, these security holes can only be exploited locally. That is, an attacker must first exploit another vulnerability or use another attack vector to gain access to a vulnerable device before a subsequent attack can take place.
A 15-year-old vulnerability
The researchers say the vulnerability existed during the initial development phase of the iSCSI kernel subsystem in 2006, but was not discovered until now, after a 15-year gap.
According to the researchers, the vulnerabilities affect all Linux distributions. But luckily, the vulnerable scsi_transport_iscsi kernel module is not loaded by default.
However, when an attacker targets a certain version, the module can be loaded and exploited for root privilege escalation.
Linux kernel modules are loaded in two cases: when new hardware is detected or when a kernel function detects that a module is missing. The latter implicit autoload situation is more prone to abuse and can be easily triggered by attackers, allowing them to increase the attack surface of the kernel.
The researchers added that on CentOS 8, RHEL 8, and Fedora systems, unprivileged users can automatically load required modules if the rdma-core package is installed.
But on Debian and Ubuntu systems, the rdma-core package automatically loads the two required kernel modules only if RDMA hardware is available. Therefore, the scope of the vulnerability is limited.
Vulnerabilities can lead to local privilege escalation, information disclosure, and denial of service
The vulnerability can be exploited to bypass some of the security features of the organization’s vulnerabilities, such as Kernel Address Space Layout Randomization (KASLR), Supervisor Mode Execution Prevention (SMEP), Supervisor Mode Access Prevention (SMAP), and Kernel Page Table Isolation (KPTI). ).
At the same time, these three vulnerabilities could lead to local privilege escalation:
CVE-2021-27365: Heap buffer overflow (local privilege escalation, information disclosure, denial of service).
The vulnerability is triggered by setting the iSCSI string property to a value greater than a page and then attempting to read it.
More specifically, an unprivileged user can send netlink messages to the iSCSI subsystem (in drivers/scsi/scsi_transport_iscsi.c), which is set up related to iSCSI connections via helper functions in drivers/scsi/libiscsi.c properties, such as hostname, username, etc., whose size is only limited by the maximum length of the netlink message (which can be 232 or 216 depending on the specific code that handles the message).
CVE-2021-27363: Kernel pointer leak (information leak).
This vulnerability can be used to determine the address of the iscsi_transport structure.
CVE-2021-27364: Out-of-bounds read (information disclosure, denial of service).
Similar to the first vulnerability, an unprivileged user can craft a chain message with a specified buffer size that the driver cannot verify, resulting in a controlled out-of-bounds read.
Additionally, the three vulnerabilities could also lead to data breaches and could be exploited to trigger denial of service conditions.
Due to the non-deterministic nature of heap overflow, the first vulnerability can act as an unreliable local DoS.
However, when combined with information disclosure, the vulnerability can be further exploited as an LPE, allowing an attacker to escalate from an unprivileged user account to root. And this vulnerability can also be used to leak kernel memory.
The second vulnerability (kernel pointer leak) is less impactful and only serves as a potential information leak.
The third vulnerability (out-of-bounds read) also functions only as a potential information leak, or even an unreliable local DoS.
All three of the above vulnerabilities were patched in the 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260 updates, with the patches starting on March 7 on mainline Linux available in the kernel. No patches will be released for kernel versions not supported by EOL, such as 3.x and 2.6.23.
If users already have one of the Linux kernel versions installed, their devices cannot be exploited with these vulnerabilities.
