Cybersecurity researchers have disclosed a safety flaw within the Linux Kernel’s Clear Inter Course of Communication (TIPC) module that might doubtlessly be leveraged each domestically in addition to remotely to execute arbitrary code inside the kernel and take management of susceptible machines.
The heap overflow vulnerability “might be exploited domestically or remotely inside a community to achieve kernel privileges, and would enable an attacker to compromise all the system,” cybersecurity agency SentinelOne said in a report revealed at present and shared with The Hacker Information.
TIPC is a transport layer protocol designed for nodes operating in dynamic cluster environments to reliably talk with one another in a fashion that is extra environment friendly and fault-tolerant than different protocols similar to TCP. The vulnerability recognized by SentinelOne has to do with a brand new message sort referred to as “MSG_CRYPTO” that was launched in September 2020 and allows peer nodes within the cluster to ship cryptographic keys.
Whereas the protocol has checks in place to validate such messages after decryption to make sure that a packet’s precise payload dimension does not exceed that of the utmost person message dimension and that the latter is larger than the message header dimension, no restrictions had been discovered to be positioned on the size of the important thing (aka ‘keylen’) itself, leading to a state of affairs the place “an attacker can create a packet with a small physique dimension to allocate heap reminiscence, after which use an arbitrary dimension within the ‘keylen’ attribute to jot down exterior the bounds of this location.”
There isn’t a proof that the flaw has been abused in real-world assaults thus far, and following accountable disclosure on October 19, the problem has been addressed in Linux Kernel model 5.15 launched on October 31, 2021.
“The perform tipc_crypto_key_rcv is used to parse MSG_CRYPTO messages to obtain keys from different nodes within the cluster with a view to decrypt any additional messages from them,” Linux kernel maintainers said in a repair pushed late final month. “This patch verifies that any provided sizes within the message physique are legitimate for the obtained message.”
“Whereas TIPC itself is not loaded mechanically by the system however by finish customers, the power to configure it from an unprivileged native perspective and the potential for distant exploitation makes this a harmful vulnerability for people who use it of their networks,” SentinelOne researcher Max Van Amerongen mentioned.