computer Security

15 Years Old Linux Bug Let Attackers Gain Admin Privileges

Three bugs found in the mainline Linux kernel turned out to be about 15 years old. One of these bugs turned out to be useable as a Local Privilege Escalation (LPE) in multiple Linux environments.

GRIMM researchers revealed the bugs 15 years after they were introduced in 2006 during the initial development stages of the iSCSI kernel subsystem.

What is SCSI?

SCSI (Small Computer System Interface) data transport, is a standard for transferring data made for connecting computers with peripheral devices, originally via a physical cable, like hard drives.

 SCSI is a venerable standard originally published in 1986 and was the go-to for server setups, and iSCSI is SCSI over TCP.

The Linux Kernal Bugs

According to GRIMM security researcher Adam Nichols, “The flaws affect all Linux distributions, but luckily, the vulnerable scsi_transport_iscsi kernel module is not loaded by default.”

  • The first vulnerability is a heap buffer overflow in the iSCSI subsystem –(CVE-2021-27365)
    Affected Versions: Tested on RHEL 8.1, 8.2, and 8.3
    Impact: LPE, Information Leak, Denial of Service (DoS)
  • GRIMM discovered a kernel pointer leak that can be used to determine the address of the iscsi_transport structure. (CVE-2021-27363)
    Affected Versions: Tested on RHEL 8.1, 8.2, and 8.3
    Impact: Information Leak
  • The final vulnerability is an out-of-bounds kernel read (CVE-2021-27364)
    Affected Versions: Tested on RHEL 8.1, 8.2, and 8.3
    Impact: Information Leak, DoS


Due to the non-deterministic nature of heap overflows, the first vulnerability could be used as an unreliable, local DoS. Though, when combined with an information leak, this vulnerability can be further exploited as an LPE that allows an attacker to escalate from an unprivileged user account to root.

A separate information leak is not necessary, though, since this vulnerability can be used to leak kernel memory as well. The second vulnerability (kernel pointer leak) is less impactful and could only serve as a potential information leak. Similarly, the third vulnerability (out-of-bounds read) is also limited to functioning as a potential information leak or even an unreliable local DoS.

Impact Flowchart

“On CentOS 8, RHEL 8, and Fedora systems, unprivileged users can automatically load the required modules if the rdma-core package is installed,” Nichols added.

“On Debian and Ubuntu systems, the rdma-core package will only automatically load the two required kernel modules if the RDMA hardware is available. As such, the vulnerability is much more limited in scope.”

Fixes Available

All three vulnerabilities are patched as of 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260, and patches became available in the mainline Linux kernel on March 7th. No patches will be released for EOL unsupported kernels versions like 3.x and 2.6.23.

If you have already installed one of the Linux kernel versions, your device can’t be compromised in attacks exploiting these bugs.

If you haven’t patched your system, you can use the above diagram to find if your device is vulnerable to exploitation attempts.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read

Linux SUDO Flaw Lets Local Users Gain Root Privileges

What is the Linux Firewall? How to Enable Packet Filtering With Open Source Iptables Firewall?

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Pentagon IT Service Provider Hacked: U.S. Government Secrets Exposed

Leidos Holdings Inc., one of the largest IT services providers to the U.S. government, experienced…

6 hours ago

Top Phishing Campaigns in July 2024: SharePoint Abuse, DeerStealer, and More

July saw a new influx of phishing and malware campaigns. The analyst team at ANY.RUN…

18 hours ago

IPFire Unveils New Feature to Protect Systems from SYN Flood Attacks

IPFire, a well-known open-source firewall solution, has introduced a new feature to protect systems from…

20 hours ago

Hackers Abuse Cloudflare WARP To Hijack Cloud Services

Recently, it has been observed that several campaigns are using Cloudflare's WARP service to target…

20 hours ago

Wiz Rejects Google’s $23 Billion Deal

Wiz, the $12 billion cloud security startup, has rejected a $23 billion acquisition offer from…

23 hours ago

Okta Browser Plugin Vulnerable To Reflected Cross-Site Scripting Attacks

Okta Browser Plugin is available on multiple browsers like Edge, Chrome, Safari, and Firefox. Combining…

1 day ago