Recently the news broke that a vulnerability was identified (CVE-2021-29154) in the eBPF subsystem, which pAllows running tracing, subsystem analysis, and traffic control controllers running inside the Linux kernel in a special JIT virtual machine that allows a local user to run your code at the kernel level.
According to the researchers who identified the vulnerability, they were able to develop a working prototype of an exploit for 86-bit and 32-bit x64 systems that can be used by an unprivileged user.
At the same time, Red Hat notes that the severity of the problem depends on the availability of the eBPF system call. for the user. For example, on RHEL and most other Linux distributions by default, the vulnerability can be exploited when BPF JIT is enabled and the user has CAP_SYS_ADMIN rights.
A problem has been discovered in the Linux kernel that they can abuse
non-privileged local users to escalate privileges.The problem is how the BPF JIT compilers calculate for some architectures
Branch offsets when generating machine code. This can be abused
to create anomalous machine code and run it in kernel mode,
where the flow of control is hijacked to execute insecure code.
And it is that they detail that the problem is caused by an error that is generated when calculating the offset of the branching instructions during the JIT compiler that generates the machine code.
In particular, it is mentioned that when generating the branch instructions, it is not taken into account that the displacement may change after going through the optimization stage, so this failure can be used to generate anomalous machine code and run it at kernel.
Notably This is not the only vulnerability in the eBPF subsystem that has become known in recent years, since at the end of March, two more vulnerabilities were identified in the kernel (CVE-2020-27170, CVE-2020-27171), which provide the ability to use eBPF to bypass protection against Specter-class vulnerabilities, which allow the content of the kernel memory to be determined and which results in the creation of conditions for the speculative execution of certain operations.
The Specter attack requires the presence of a specific sequence of commands in the privileged code, which leads to speculative execution of instructions. In eBPF, several ways have been found to generate such instructions by means of manipulations with BPF programs transmitted for their execution.
- The CVE-2020-27170 vulnerability is caused by pointer manipulations in the BPF checker, which causes speculative operations to access an area outside the buffer.
- The CVE-2020-27171 vulnerability is related to an integer underflow bug when working with pointers, leading to speculative access to out-of-buffer data.
These issues have already been fixed in kernel versions 5.11.8, 5.10.25, 5.4.107, 4.19.182, and 4.14.227, and have been included in kernel updates for most Linux distributions. Researchers have prepared an exploit prototype that allows an unprivileged user to retrieve data from kernel memory.
As for one of the solutions that proposed within Red Hat is:
Mitigation:
This problem does not affect most systems by default. An administrator would have to have enabled the BPF JIT to be affected.
It can be disabled immediately with the command:
# echo 0 > /proc/sys/net/core/bpf_jit_enableOr it can be disabled for all subsequent system boots by setting a value in /etc/sysctl.d/44-bpf -jit-disable
## start file ## net.core.bpf_jit_enable=0</em> end file ##
Finally if you are interested in knowing more about it about this vulnerability, you can check the details in the following link.
It is worth mentioning that the problem persists until version 5.11.12 (inclusive) and has not yet been solved in most distributions, even though the correction is already in place. available as a patch.