Decade-old Linux kernel vulnerabilities are threatening device security

Researchers have identified three major vulnerabilities in the Linux kernel that have existed for more than a decade.

According to cybersecurity firm GRIMM, these bugs could allow attackers to elevate their privileges from basic to root, opening the door to data theft, malware and ransomware distribution, escalation of privilege and DDoS attacks, Bleeping Computer reported.

The vulnerabilities (CVE-2021-27365, CVE-2021-27363 and CVE-2021-27364) have since been fixed and patches for the mainline Linux kernel became generally available on March 7. Linux users have been urged to patch their systems immediately.

Despite their relative severity, the vulnerabilities aren’t particularly easy to exploit, requiring local access to the target device. This means attackers would either need to access the device physically or chain the Linux bugs with other vulnerabilities.

Detailing his findings in a blog post, GRIMM researcher Adam Nichols said that the vulnerable scsi_transport_iscsi kernel module is not loaded by default, and explained what that means:

“The Linux kernel loads modules either because new hardware is detected or because a kernel function detects that a module is missing,” he wrote. “The latter implicit autoload case is more likely to be abused and is easily triggered by an attacker, enabling them to increase the attack surface of the kernel.”

“On CentOS 8, RHEL 8, and Fedora systems, unprivileged users can automatically load the required modules if the rdma-core package is installed. On Debian and Ubuntu systems, the rdma-core package will only automatically load the two required kernel modules if the RDMA hardware is available. As such, the vulnerability is much more limited in scope.”

Bleeping Computer further explained that the bugs could be abused to bypass various Linux security features designed to block exploits, including the Kernel Address Space Layout Randomization (KASLR), Supervisor Mode Execution Protection (SMEP), Supervisor Mode Access Prevention (SMAP) and Kernel Page-Table Isolation (KPTI).

“The bottom line is that this is still a real problem area for the Linux kernel because of the tension between compatibility and security. Administrators and operators need to understand the risks, their defensive options, and how to apply those options in order to effectively protect their systems,” Nichols concluded.

Source link