Cybersecurity researchers have disclosed a safety flaw within the Linux Kernel’s Clear Inter Course of Communication (TIPC) module that might probably be leveraged each regionally in addition to remotely to execute arbitrary code inside the kernel and take management of weak machines.
The heap overflow vulnerability “will be exploited regionally or remotely inside a community to achieve kernel privileges, and would enable an attacker to compromise the complete system,” cybersecurity agency SentinelOne stated in a report printed as we speak and shared with The Hacker Information.
TIPC is a transport layer protocol designed for nodes working in dynamic cluster environments to reliably talk with one another in a way that is extra environment friendly and fault-tolerant than different protocols similar to TCP. The vulnerability recognized by SentinelOne has to do with a brand new message sort referred to as “MSG_CRYPTO” that was launched in September 2020 and allows peer nodes within the cluster to ship cryptographic keys.
Whereas the protocol has checks in place to validate such messages after decryption to make sure that a packet’s precise payload measurement does not exceed that of the utmost consumer message measurement and that the latter is bigger than the message header measurement, no restrictions have been discovered to be positioned on the size of the important thing (aka ‘keylen’) itself, leading to a state of affairs the place “an attacker can create a packet with a small physique measurement to allocate heap reminiscence, after which use an arbitrary measurement within the ‘keylen’ attribute to write down outdoors the bounds of this location.”
There isn’t any proof that the flaw has been abused in real-world assaults to this point, and following accountable disclosure on October 19, the problem has been addressed in Linux Kernel model 5.15 launched on October 31, 2021.
“The perform tipc_crypto_key_rcv is used to parse MSG_CRYPTO messages to obtain keys from different nodes within the cluster to be able to decrypt any additional messages from them,” Linux kernel maintainers stated in a repair pushed late final month. “This patch verifies that any provided sizes within the message physique are legitimate for the obtained message.”
“Whereas TIPC itself is not loaded robotically by the system however by finish customers, the power to configure it from an unprivileged native perspective and the potential for distant exploitation makes this a harmful vulnerability for people who use it of their networks,” SentinelOne researcher Max Van Amerongen stated.