3 vulnerabilities in the Linux kernel allow privilege escalation

During the last week the news about three vulnerabilities was released that three vulnerabilities were identified in the Linux kernel that potentially allow a local user to elevate their privileges on the system.

One of the reported vulnerabilities (CVE-2021-26708) was found in the socket implementation with AF_VSOCK addressing, intended for networking between guest and host applications. The problem is caused by a race condition when configuring locks to handle multiple transport (VSOCK multiple transport).

The researcher who identified the vulnerability claims to have created a functional exploit which allows you to obtain root rights on Fedora Server 33, bypassing the SMEP (Supervisor Mode Execution Prevention) and SMAP (Supervisor Mode Access Prevention) protection mechanisms. The exploit code will be published after the general distribution of updates.

The vulnerability has appeared since v5.5-rc1 and has been fixed in update 5.10.13. On RHEL, the problem only manifests since version 8.3 (kernel 4.18.0-240), which introduced VSOCK support. The stable branches of Debian and SUSE are not affected by the problem. On Ubuntu, the status of the vulnerability has yet to be determined.

Another vulnerability reported is (CVE-2021-3347) what could allow kernel level code execution via futex manipulation. The problem is caused by accessing an already freed memory area (use-after-free) while handling an exception.

There is no information yet on the existence of an exploit, but the exploit for the old futex vulnerability CVE-2014-3153, which was found in 2014, which appeared in the last month, may indicate the possibility of exploiting this class of problems.

The problem has been around since 2008 and potentially affects all distributions. The vulnerability has already been fixed in SUSE, Fedora, and partially in Debian. On Ubuntu and RHEL, the problem has not been fixed yet.

Addressing a long-standing issue where user space is part of futex cannot be written to. The kernel returns with an inconsistent state which can, in the worst case, result in a UAF of a stacked task kernel.

The solution is to set a consistent kernel state that makes future operations in the futex fail because the user space and kernel state of the space is inconsistent. It is not a problem since PI works fundamentally require a functional RW mapping and if the user space
pull the rug under it, then you can put away the pieces you ordered.

The last of the vulnerabilities reported is (CVE-2021-20226) ton the asynchronous I / O interface io_uring, caused by accessing a block of memory already freed (use-after-free) while processing file descriptors due to incorrect verification of the existence of an object before performing the IORING_OP_CLOSE operation.

According to Red Hat, the vulnerability is limited to a denial of service or memory leak of the kernel, but according to the Zero Day Initiative, the vulnerability allows a local user to execute code at the kernel level.

A post-free use flaw was found in io_uring in the Linux kernel, where a local attacker with user privileges could cause a denial of service problem on the system

The problem arises from the lack of validation of the existence of an object before performing operations on the object without incrementing the reference counter file while it is in use.

Vulnerability has been released since kernel 5.5 and has been fixed in kernel 5.10.2 (According to other sources, a patch was included with the elimination of the vulnerability in kernel 5.9-rc1). The problem has already been fixed in Fedora.

In the stable branches of RHEL and Debian, the problem does not appear. The status of the vulnerability in Ubuntu has yet to be determined.

Finally if you are interested in knowing more about it, you can check the details in the following links.

CVE-2021-26708, CVE-2021-3347, CVE-2021-20226


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.