Discovered a vulnerability in the TIPC implementation of the Linux kernel

Recently the news broke that a security researcher identified a critical vulnerability (already listed under CVE-2021-43267) in the implementation of the TIPC network protocol supplied in the Linux kernel, which allows remote execution of code with kernel privileges by sending a specially crafted network packet.

The danger of the problem is mitigated by the fact that the attack requires explicitly enabling TIPC support on the system (by loading and configuring the tipc.ko kernel module), which is not done by default on non-Linux distributions. specialized.

CodeQL is an analysis engine that allows you to run queries on your code. From a security perspective, this can allow you to find vulnerabilities simply by describing their appearance. CodeQL will then go live and find all instances of that vulnerability.

TIPC has been supported since the Linux 3.19 kernel, but the code leading to the vulnerability was included in the 5.10 kernel.. The TIPC protocol was originally developed by Ericsson, it is intended to organize inter-process communication in a cluster and is mainly activated on the nodes of the cluster.

TIPC can work both over Ethernet and over UDP (network port 6118). In the case of working through Ethernet, the attack can be carried out from the local network, and when using UDP, from the global network, if the port is not covered by a firewall. The attack can also be carried out by a local user without privileges on the host. To enable TIPC, you must load the tipc.ko kernel module and configure the link to the network interface using netlink or the tipc utility.

The protocol is implemented in a kernel module bundled with all major Linux distributions. When loaded by a user, it can be used as a connector and can be configured in an interface using netlink (or using the user space tool tipc, which will make these netlink calls) as a non-privileged user.

TIPC can be configured to operate over a bearer protocol such as Ethernet or UDP (in the latter case, the kernel listens on port 6118 for incoming messages from any machine). Since a low-privileged user cannot create raw ethernet frames, setting the bearer to UDP makes it easy to write a local exploit.

The vulnerability manifests itself in the tipc_crypto_key_rc function and is caused by a lack of proper verification of the correspondence between what is specified in the header and the actual size of the data when analyzing packets with the MSG_CRYPTO type used to obtain encryption keys from other nodes in the cluster in order to later decrypt the messages sent from these nodes.

The size of the data copied to memory is calculated as the difference between the values ​​of the fields with the size of the message and the size of the header, but without taking into account the actual size of the name of the encryption algorithm transmitted in the message and the content of the key.

The size of the algorithm name is assumed to be fixed, and in addition a separate attribute with the size is passed for the key, and the attacker can specify a value in this attribute that differs from the actual value, which will lead to writing to the queue of the message out of the allocated buffer.

The vulnerability is fixed in kernels 5.15.0, 5.10.77 and 5.14.16, although the problem appears and has not yet been fixed in Debian 11, Ubuntu 21.04 / 21.10, SUSE (in the SLE15-SP4 branch not yet released), RHEL (not yet detailed if the vulnerable solution has been updated) and Fedora.

Although a kernel update has already been released for Arch Linux and distributions with kernels prior to 5.10, such as Debian 10 and Ubuntu 20.04, are not affected.

Finally if you are interested in knowing more about it, you can check the details In the following link.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.