al capone
Advanced
- Joined
- 13.09.20
- Messages
- 159
- Reaction score
- 1,912
- Points
- 93
Using vulnerabilities, local attackers can bypass security features.
GRIMM specialists have discovered vulnerabilities in the iSCSI subsystem of the Linux kernel that allow local attackers with basic user privileges to increase their privileges to superuser. Vulnerabilities can only be exploited locally, that is, to carry out a cyber attack, an attacker must first gain access to a vulnerable device by exploiting another vulnerability or through an alternative attack vector.
Although the vulnerabilities were only discovered now, they appeared in iSCSI in the early stages of development in 2006. The problems affect all Linux distributions, but fortunately, the vulnerable scsi_transport_iscsi kernel module is not loaded by default. However, depending on which Linux distribution the attackers may be targeting, the module can be downloaded and used to elevate privileges.
As security researcher Adam Nichols explained, the Linux kernel loads modules either because it detects new hardware, or because a kernel function detects that a module is missing. In CentOS 8, RHEL 8, and Fedora, unprivileged users can automatically download the necessary modules if the rdma-core package is installed. In Debian and Ubuntu, the rdma-core package will automatically load only the two required kernel modules if RDMA hardware is available. Thus, on these systems, the exploitation of the vulnerability is limited.
Vulnerabilities:
CVE-2021-27365: Buffer overflow (local privilege escalation, data disclosure, and denial of service);
CVE-2021-27363: Kernel pointer leak (data disclosure);
CVE-2021-27364: Reading outside of the allocated memory area (data disclosure and denial of service).
They can be used by attackers to bypass security features such as kernel address space layout randomization (KASLR), supervisor-mode execution protection (SMEP), supervisor-mode access prevention (SMAP), and kernel page table isolation (KPTI).
All three vulnerabilities are fixed in the versions 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260 and 4.4.260, and the fixes became available in the main Linux kernel on March 7. Patches for more unsupported kernel versions, such as 3.x and 2.6.23, will not be released.
GRIMM specialists have discovered vulnerabilities in the iSCSI subsystem of the Linux kernel that allow local attackers with basic user privileges to increase their privileges to superuser. Vulnerabilities can only be exploited locally, that is, to carry out a cyber attack, an attacker must first gain access to a vulnerable device by exploiting another vulnerability or through an alternative attack vector.
Although the vulnerabilities were only discovered now, they appeared in iSCSI in the early stages of development in 2006. The problems affect all Linux distributions, but fortunately, the vulnerable scsi_transport_iscsi kernel module is not loaded by default. However, depending on which Linux distribution the attackers may be targeting, the module can be downloaded and used to elevate privileges.
As security researcher Adam Nichols explained, the Linux kernel loads modules either because it detects new hardware, or because a kernel function detects that a module is missing. In CentOS 8, RHEL 8, and Fedora, unprivileged users can automatically download the necessary modules if the rdma-core package is installed. In Debian and Ubuntu, the rdma-core package will automatically load only the two required kernel modules if RDMA hardware is available. Thus, on these systems, the exploitation of the vulnerability is limited.
Vulnerabilities:
CVE-2021-27365: Buffer overflow (local privilege escalation, data disclosure, and denial of service);
CVE-2021-27363: Kernel pointer leak (data disclosure);
CVE-2021-27364: Reading outside of the allocated memory area (data disclosure and denial of service).
They can be used by attackers to bypass security features such as kernel address space layout randomization (KASLR), supervisor-mode execution protection (SMEP), supervisor-mode access prevention (SMAP), and kernel page table isolation (KPTI).
All three vulnerabilities are fixed in the versions 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260 and 4.4.260, and the fixes became available in the main Linux kernel on March 7. Patches for more unsupported kernel versions, such as 3.x and 2.6.23, will not be released.