Search This Blog

Showing posts with label Linux Kernel. Show all posts

A Trio of Vulnerabilities in the Linux Kernel Can Give Attackers Root Privileges

 

Linux kernel distributions appear explicitly susceptible to recently uncovered vulnerabilities. In the iSCSI module, which is used for viewing shared data storages, three unearthed vulnerabilities in the Linux kernel would provide administrative privileges to anybody with a user account. Since 2006, the Linux code has no identification of the trio of defects – the CVE-2021-27363, CVE-2021-27364, and CVE-2021-27365 – until GRIMM researchers found them. 

“If you already had the execution on a box, either because you have a user account on the machine, or you’ve compromised some service that doesn’t have repaired permissions, you can do whatever you want basically,” said Adam Nichols, principal of the Software Security practice at GRIMM. 

Although the vulnerabilities that are in code, are not functional remotely, therefore they are not remote exploits but are still troubling. They take “any existing threat that might be there. It just makes it that much worse,” he explained. Referring to the concept that "many eyes make any bug shallow," Linux code doesn't get many eyes so that it seems perfect. But while the code was first published, the bugs have been there, even in the last fifteen years they haven't really modified. 

GRIMM researchers, of course, are trying to dig in to see how often vulnerabilities occur where possible – with open source, a much more feasible solution. It's very much related to the extent of the Linux kernel that the defections drifted away. "It gotten so big," Nichols said, "there's so much code there." “The real strategy is making sure you’re loading as little code as possible.” 

Nichols said that bugs are present in all Linux distributions, but kernel drivers are not enabled by default. If the vulnerable kernel module can be loaded by a regular user or not, may vary. For example, they could be checked by GRIMM in all Red Hat distros. "Even though it's not loaded by default, you can load it and you can exploit it without any trouble," added Nichols. 

Although the hardware is present, other systems such as Debian and Ubuntu “are in the same boat as Red Hat, where the user, depending on what packages are installed, can coerce it into getting loaded; then it’s there to be exploited,” he said. Errors are reported in 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260. The bugs are not included in the following updates. Although all the old kernels are end-of-life and will not be patched. 

Nichols suggests that the Kernel must be blacklisted as a temporary measure to neutralize defects. “Any system that doesn’t use that module can just say never load this module under any circumstances, and then you’re kept safe,” he said. But “if you’re actually using iSCSI, then you wouldn’t want to do that.”

Unpatched Linux Kernel Vulnerabilities Could Be Exploited For Local Dos




As of late two denial-of-service (DoS) vulnerabilities evaluated as ones with Medium severity, affected the Linux kernel 4.19.2 in addition to its previous versions. The two defects are NULL pointer deference issues that can be misused by even a local attacker if he or she wishes to trigger a DoS condition.

Tracked as CVE-2018-19406, the primary issue was observed to dwell in a Linux kernel function called kvm_pv_send_ipi, which is characterized in curve/x86/kvm/lapic.c. The defect is activated when the Advanced Programmable Interrupt Controller (APIC) delineate is not initialized correctly.
To abuse the security defect, a local attacker can utilize the already 'crafted' system calls to achieve a circumstance where the apic delineate remains uninitialized.

In a published blog post the Linux contributor Wanpeng Li reports:
“The reason is that the apic map has not yet been initialized, the testcase triggers pv_send_ipi interface by vmcall which results in kvm->arch.apic_map is dereferenced”

The second vulnerability, which has been doled out the CVE number CVE-2018-19407, impacts the vcpu_scan_ioapic function that is characterized in curve/x86/kvm/x86.c. The bug is activated when I/O Advanced Programmable Interrupt Controller (I/O APIC) does not instate effectively.

Further adds the security advisor “the vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.”

“The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr and triggers scan ioapic logic to load synic vectors into EOI exit bitmap. However, irqchip is not initialized by this simple testcase, ioapic/apic objects should not be accessed,” reads the analysis published by Wanpeng Li.

Albeit informal patches for the two blemishes were discharged in the informal Linux Kernel Mailing List (LKML) archive, however despite everything they haven't been pushed upstream.