15 Years Old Linux Bug Let Attackers Gain Admin Privileges

Three bugs found in the mainline Linux kernel turned out to be about 15 years old. One of these bugs turned out to be useable as a Local Privilege Escalation (LPE) in multiple Linux environments.

GRIMM researchers revealed the bugs 15 years after they were introduced in 2006 during the initial development stages of the iSCSI kernel subsystem.

What is SCSI?

SCSI (Small Computer System Interface) data transport, is a standard for transferring data made for connecting computers with peripheral devices, originally via a physical cable, like hard drives.

 SCSI is a venerable standard originally published in 1986 and was the go-to for server setups, and iSCSI is SCSI over TCP.

The Linux Kernal Bugs

According to GRIMM security researcher Adam Nichols, “The flaws affect all Linux distributions, but luckily, the vulnerable scsi_transport_iscsi kernel module is not loaded by default.”

• The first vulnerability is a heap buffer overflow in the iSCSI subsystem –(CVE-2021-27365)
  Affected Versions: Tested on RHEL 8.1, 8.2, and 8.3
  Impact: LPE, Information Leak, Denial of Service (DoS)

• GRIMM discovered a kernel pointer leak that can be used to determine the address of the iscsi_transport structure. (CVE-2021-27363)
  Affected Versions: Tested on RHEL 8.1, 8.2, and 8.3
  Impact: Information Leak

• The final vulnerability is an out-of-bounds kernel read (CVE-2021-27364)
  Affected Versions: Tested on RHEL 8.1, 8.2, and 8.3
  Impact: Information Leak, DoS

Impact

Due to the non-deterministic nature of heap overflows, the first vulnerability could be used as an unreliable, local DoS. Though, when combined with an information leak, this vulnerability can be further exploited as an LPE that allows an attacker to escalate from an unprivileged user account to root.

A separate information leak is not necessary, though, since this vulnerability can be used to leak kernel memory as well. The second vulnerability (kernel pointer leak) is less impactful and could only serve as a potential information leak. Similarly, the third vulnerability (out-of-bounds read) is also limited to functioning as a potential information leak or even an unreliable local DoS.

“On CentOS 8, RHEL 8, and Fedora systems, unprivileged users can automatically load the required modules if the rdma-core package is installed,” Nichols added.

“On Debian and Ubuntu systems, the rdma-core package will only automatically load the two required kernel modules if the RDMA hardware is available. As such, the vulnerability is much more limited in scope.”

Fixes Available

All three vulnerabilities are patched as of 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260, and patches became available in the mainline Linux kernel on March 7th. No patches will be released for EOL unsupported kernels versions like 3.x and 2.6.23.

If you have already installed one of the Linux kernel versions, your device can’t be compromised in attacks exploiting these bugs.

If you haven’t patched your system, you can use the above diagram to find if your device is vulnerable to exploitation attempts.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Also Read

Linux SUDO Flaw Lets Local Users Gain Root Privileges

What is the Linux Firewall? How to Enable Packet Filtering With Open Source Iptables Firewall?