Recently important information about the identification of a vulnerability (listed as CVE-2021-27365) in the iSCSI subsystem code Linux kernel that Allows an unprivileged local user to run code at the kernel level and gain root privileges on the system.
The problem is caused by a bug in the function of the libiscsi module iscsi_host_get_param (), introduced back in 2006 during the development of the iSCSI subsystem. Due to the lack of proper sizing controls, some iSCSI string attributes, such as hostname or username, may exceed the PAGE_SIZE (4KB) value.
The vulnerability could be exploited by sending Netlink messages by an unprivileged user who sets iSCSI attributes to values greater than PAGE_SIZE. When reading attribute data through sysfs or seqfs, the code is called to pass the attributes to sprintf so that they are copied into a buffer that is PAGE_SIZE in size.
The particular subsystem in question is the SCSI (Small Computer System Interface) data transport, which is a standard for transferring data made to connect computers to peripheral devices, originally via a physical cable, such as hard drives. SCSI is a venerable standard originally published in 1986 and was the gold standard for server configurations, and iSCSI is basically SCSI over TCP. SCSI is still used today, especially in certain storage situations, but how does this become an attack surface on a default Linux system?
Exploiting vulnerability in the distributions depends on support for kernel module autoloading scsi_transport_iscsi when trying to create a NETLINK_ISCSI socket.
In distributions where this module loads automatically, the attack can be carried out regardless of the use of iSCSI functionality. At the same time, for the successful use of the exploit, the registration of at least one iSCSI transport is additionally required. In turn, to register a transport, you can use the ib_iser kernel module, which is loaded automatically when an unprivileged user tries to create a NETLINK_RDMA socket.
Automatic loading of modules required to use the exploit supports CentOS 8, RHEL 8, and Fedora by installing the rdma-core package on the system, which is a dependency for some popular packages and is installed by default in configurations for workstations, server systems with GUI and virtualization of host environments.
At the same time, rdma-core is not installed when using a server build that only works in console mode and when installing a minimal installation image. For example, the package is included in the base Fedora 31 Workstation distribution, but not included in Fedora 31 Server.
Debian and Ubuntu are less susceptible to the problemas the rdma-core package only loads the kernel modules needed for an attack if RDMA hardware is available. However, the server-side Ubuntu package includes the open-iscsi package, which includes the /lib/modules-load.d/open-iscsi.conf file to ensure that iSCSI modules are loaded automatically on every boot.
A working prototype of the exploit is available for try on the link below.
The vulnerability was fixed in Linux kernel updates 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260. Kernel package updates are available on Debian (oldstable), Ubuntu, SUSE / openSUSE, Arch Linux, and Fedora distributions, while for RHEL no fixes have been released yet.
Also, in the iSCSI subsystem two less dangerous vulnerabilities have been fixed that can lead to kernel data leakage: CVE-2021-27363 (leaked information about iSCSI transport descriptor via sysfs) and CVE-2021-27364 (reading from a region outside the buffer limits) .
These vulnerabilities can be exploited to communicate over a network link socket with the iSCSI subsystem without the necessary privileges. For example, an unprivileged user can connect to iSCSI and send a logout command.
Source: https://blog.grimm-co.com