The Linux vulnerability series is more than '15 years old', allowing hackers to hijack root privileges

International security researchers recently found three flaws in the iSCSI subsystem of the Linux kernel. These are all critical flaws that, if successfully exploited, could allow a local attacker with basic user privileges to gain root privileges on affected Linux systems. Vulnerabilities are currently being tracked with identifiers CVE-2021-27365, CVE-2021-27363, and CVE-2021-27364.

Fortunately, these security flaws can only be exploited locally, meaning potential attackers will have to have direct access to vulnerable devices by exploiting another vulnerability. Or use an alternate attack vector.

15 years old Linux vulnerabilities

These three holes were discovered by researchers from the GRIMM security team. According to experts' estimates, the flaws have existed for no less than 15 years, most likely from the early stage of development of the iSCSI kernel subsystem in 2006.

According to GRIMM security researcher Adam Nichols, these three vulnerabilities affect all Linux distributions. Fortunately, the scsi_transport_iscsi kernel module that contains the vulnerability is not loaded by default.

However, depending on the Linux distribution targeted by attackers, this module can still be downloaded and exploited for privileged upgrades.

' Usually, the Linux kernel loads modules because the new hardware is discovered or because a module is found to be missing by a kernel function. The second case is more likely to be abused, and at the same time more susceptible to activation by an attacker, allowing them to expand the core's attack surface , '' Nichols said. ' On CentOS 8, RHEL 8 and Fedora systems, unprivileged users can automatically load the required modules if the rdma-core package is installed. Whereas on Debian and Ubuntu systems the rdma-core package will only automatically load the two required kernel modules if the RDMA hardware is available. Hence, the vulnerability has much more limited scope . '

Take up root privileges

An attacker can take advantage of the aforementioned vulnerabilities to bypass security features such as Kernel Address Space Layout Randomization (KASLR), Supervisor Mode Execution Protection (SMEP), Supervisor Mode Access Prevention (SMAP), and Kernel Page-Table Isolation (KPTI).

Essentially, these three vulnerabilities can lead to local privilege enhancement behavior, information leakage, and denial of service:

1. CVE-2021-27365 : Heap buffer overflow (Local privilege upgrade, Information leak, Denial of service)
2. CVE-2021-27363 : Kernel pointer leak (Information Leakage)
3. CVE-2021-27364 : Out-of-bounds read (Information leakage, Denial of service)

All three vulnerabilities are currently fixed as of updates 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260, patches are available in the kernel. Linux mainline on 7th March. No fixes will be released for non-EOL supported kernel versions such as 3.x and 2.6.23.

If you have one of the above Linux kernel versions installed, your device will no longer be compromised in these three vulnerabilities.

Jessica Tanner

Update 15 March 2021