They found vulnerabilities in the eBPF subsystem that allow code execution at the kernel level 

Recently we share here on the blog the news about the interest that Microsoft has shown about the subsystem eBPF, Since it has built a subsystem for Windows which uses the abstract interpretation static analysis method, which, compared to the eBPF checker for Linux, demonstrates a lower false positive rate, supports loop analysis, and provides good scalability.

The method takes into account many typical performance patterns obtained from the analysis of existing eBPF programs. This eBPF subsystem has been included in the Linux kernel since version 3.18 and It allows you to process incoming / outgoing network packets, forward packets, control bandwidth, intercept system calls, control access, and perform monitoring.

And is that talking about it, it was recently revealed that two new vulnerabilities have been identified in the subsystem eBPF, which allows you to run drivers inside the Linux kernel in a special JIT virtual machine.

Both vulnerabilities provide the opportunity to run code with kernel rights, outside the isolated eBPF virtual machine.

Information about the problems was published by the Zero Day Initiative team, which runs the Pwn2Own competition, during which this year three attacks on Ubuntu Linux were demonstrated, in which previously unknown vulnerabilities were used (if the vulnerabilities in the eBPF are related to these attacks it is not reported).

The eBPF ALU32 limit tracking for bitwise operations (AND, OR and XOR) 32-bit limits were not updated.

Manfred Paul (@_manfp) of the RedRocket CTF team (@redrocket_ctf) working with himTrend Micro's Zero Day initiative discovered that this vulnerability it could be converted to out of bounds reads and writes in the kernel. This has been reported as ZDI-CAN-13590 and assigned CVE-2021-3490.

  • CVE-2021-3490: The vulnerability is due to the lack of out-of-bounds verification for 32-bit values ​​when performing bitwise AND, OR, and XOR operations on eBPF ALU32. An attacker can take advantage of this bug to read and write data outside the limits of the allocated buffer. The problem with XOR operations has been around since kernel 5.7-rc1, and AND and OR since 5.10-rc1.
  • CVE-2021-3489: The vulnerability is caused by a bug in the ring buffer implementation and is related to the fact that the bpf_ringbuf_reserve function did not check for the possibility that the size of the allocated memory area is smaller than the actual size of the ringbuf buffer. The problem has been evident since the release of 5.8-rc1.

Moreover, we can also observe another vulnerability in the Linux kernel: CVE-2021-32606, which allows a local user to elevate their privileges to the root level. The problem manifests itself since the Linux kernel 5.11 and is caused by a race condition in the implementation of the CAN ISOTP protocol, which makes it possible to change the socket binding parameters due to the lack of configuration of the proper locks in isotp_setsockopt () when the flag is processed CAN_ISOTP_SF_BROADCAST.

Once the socket, ISOTP continues to bind to the receiver socket, which can continue to use the structures associated with the socket after the associated memory is freed (use-after-free due to the structure call isotp_sock already released when i callsotp_rcv (). By manipulating data, you can override the pointer to the function sk_error_report () and run your code at the kernel level.

The status of fixes for vulnerabilities in distributions can be tracked on these pages: Ubuntu, Debian, RHEL, Fedora, SUSE, Arch).

The fixes are also available as patches (CVE-2021-3489 and CVE-2021-3490). The exploitation of the problem depends on the availability of the call to the eBPF system for the user. For example, in the default configuration on RHEL, exploiting the vulnerability requires the user to have CAP_SYS_ADMIN privileges.

Finally if you want to know more about it, you can check the details In the following link.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.