Security researchers from SentinelLabs has discovered a new heap overflow vulnerability in the Linux Kernel’s Transparent Inter Process Communication (TIPC) module. The vulnerability being tracked as CVE-2021-43267 can be exploited either locally or remotely within the network to execute arbitrary code within the kernel and compromise the entire machine. Let’s know more about the Transparent Inter Process Communication (TIPC) module in Linux and see how to fix CVE-2021-43267, A heap overflow vulnerability in Linux Kernel’s TIPC Module.
Table of Contents
What Is Transparent Inter-process Communication?
In short, TIPC, is an Inter-process communication (IPC) service in Linux which operates between nodes across the cluster. If you want to learn in detail about the TIPC, you can visit its official TIPC page.
TIPM protocol is part of all major Linux distribution kernel modules. When a user loads TIPC module, kernel uses the TIPC as a socket and configure on a network interface to work in a low privileged mode on top of ethernet protocol. Host communicate with each other by exchanging the TIPC messages between their kernels.
The TIPC protocol operates in a way transparent to the user. Each TIPC packet is composed of a header and a payload. Each header will have two variables: Header Size and Message Size. Header Size denotes the size of the header, whereas Message Size denotes the total size of the packet.
TIPC protocol has a function ‘tipc_msg_validate‘ to validate the Header and Message Size. This function performs three validations: 1. Message Size is greater than Header Size, 2. The TIPC packet payload size is validated against the maximum user message size, and 3. The Message Size is validated against the actual received packet length.
Overview of CVE-2021-43267- A Heap Overflow Vulnerability
The vulnerability begins with the introduction of a new user message, ‘MSG_CRYPTO,’ which allows peers to send cryptographic keys. When the MSG_CRYPTO message is received, the TIPC kernel module should copy this information (the name of the key algorithm along with the key) into the storage for that node.
The most important part of this vulnerability is lice in the Header Size calculation. As mentioned above, both Header Size and Message Size are validated against the actual packet size. Total Message Size should not exceed the range of the actual packet. The problem is, there are no checks implemented to calculate the size of the MSG_CRYPTO message against the total Message Size. This improper validation allows an attacker to create a packet with small body size to allocate heap memory. For instance, an attacker can create a 20 byte packet and set the message size to 10 bytes without failing the check. Please check the detailed technical analysis from the original report published by sentinal Labs.
This heap overflow vulnerability can be exploited either locally or remotely within the network to execute arbitrary code within the kernel and compromise the entire machine.
Summary Of CVE-2021-43267- A Heap Overflow Vulnerability
Description: The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.
Security-Database Scoring CVSS v3
| Overall CVSS Score | 9.8 |
| Base Score | 9.8 |
| impact SubScore | 5.9 |
| Exploitabality Sub Score | 3.9 |
| Attack Vector | Network |
| Privileges Required | None |
| Scope | Unchanged |
| Integrity Impact | High |
| Environmental Score | 9.8 |
| Temporal Score | 9.8 |
| Attack Complexity | Low |
| User Interaction | None |
| Confidentiality Impact | High |
| Availability Impact | High |
Kernel Versions Affected with the Heap Overflow Vulnerability (CVE-2021-43267)
Since this Heap Overflow Vulnerability (CVE-2021-43267) affects only to TIPC users, so they should ensure that their Linux kernel version is not between 5.10-rc1 and 5.14.16. Ubuntu published an advisory on Nov 02, 2021; look at the advisory from here.
Vulnerable Kernel Versions:
between 5.10-rc1 and 5.14.16
Patched Kernel Version:
5.15
Not Affected Versions:
5.4.0-9.12
4.13.0-16.19
4.4.0-2.16
3.11.0-12.19
How To Fix CVE-2021-43267- A Heap Overflow Vulnerability In Linux Kernel’s TIPC Module?
This vulnerability has been patched in kernel v5.15 with two changes: 1. A validation function has been moved before the copy process takes place instead of after it, 2. A size overflow check has been added along with additional checks for the minimum packet size and the supplied key size. It is recommended to upgrade your kernel to v5.15 as soon as possible.
How To Upgrade Kernel On Your Linux?
There are multiple ways to update the kernel on Linux. The best and the native way is to download and install the tested kernel package. Please contact your support to choose the best way that works for you. Just for the demonstration, we are going to show you how to upgrade the kernel on Ubuntu or Debian servers in a native way.
How to upgrade the kernel on Ubuntu?
Note: Before you download and install on your production server, we recommend to test this on a test machine. Don’t forget to take the full VM snapshot if are upgrading kernel on a Virtual Image. Or, take filesystem back up if you have a physical server.
- Check the kernel version
Before you start upgradation, check the version of the kernel your server has. What if the kernel version is not in the list of affected versions, If so, you can schedule this later as per your time.
Run this command to check the kernel version.
$ uname -rs
- Download kernel modules 5.15
Download the kernel packages directly from the kernel.ubuntu.com website. Download the latest version available (At the bottom) from the website to a dedicated directory. Change the permission of the files to execute.
Create a directory in your path:
$ mkdir /home/arunkl/kernel-5.15
Change the directory:
$ cd /home/arunkl/kernel-5.15/
Download these two files (where X.Y.Z is the highest version):
1. linux-image-*X.Y.Z*-generic-*.deb
2. linux-modules-X.Y.Z*-generic-*.debCommands to download the kernel v5.15
$ wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.15/amd64/linux-image-unsigned-5.15.0-051500-generic_5.15.0-051500.202110312130_amd64.deb
$ wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.15/amd64/linux-modules-5.15.0-051500-generic_5.15.0-051500.202110312130_amd64.debRun this command to set the files permission to execution mode:
$ chmod +x *.deb
- Install kernel module 5.15
Install the downloaded packages using the default dpkg utility then reboot the server.
$ sudo dpkg –install *.deb
$ reboot
- Check the kernel version after reboot
Use the same command used in the first step. You will see upgraded kernel version if everything goes well.
$ uname -rs
- How to Fix CVE-2021-43267 on RedHat and CentOS Linux servers
RedHat didn’t release patches to this vulnerability as the latest version of kernel module RedHat supports is 4.18.0-305, which comes in not affected version category.
How To Fix CVE-2021-43267 On RedHat And CentOS?
RedHat didn’t release patches to this vulnerability as the latest version of kernel module RedHat supports is 4.18.0-305, which comes in not affected version category.
Kernel Version Supported in Red Hat Enterprise Linux 8
| Release | General Availability Date | redhat-release Errata Date* | Kernel Version |
|---|---|---|---|
| RHEL 8.4 | 2021-05-18 | 2021-05-18 RHSA-2021:1578 | 4.18.0-305 |
| RHEL 8.3 | 2020-11-03 | 2020-11-03 RHBA-2020:4495 | 4.18.0-240 |
| RHEL 8.2 | 2020-04-28 | 2020-04-28 RHBA-2020:1758 | 4.18.0-193 |
| RHEL 8.1 | 2019-11-05 | 2019-11-05 RHBA-2019:3543 | 4.18.0-147 |
| RHEL 8 | 2019-05-07 | – | 4.18.0-80 |
Red Hat Enterprise Linux 7
| Release | General Availability Date | redhat-release Errata Date* | Kernel Version |
|---|---|---|---|
| RHEL 7.9 | 2020-09-29 | 2020-09-29 RHBA-2020:3849 | 3.10.0-1160 |
| RHEL 7.8 | 2020-03-31 | 2020-03-31 RHBA-2020:1033 | 3.10.0-1127 |
| RHEL 7.7 | 2019-08-06 | 2019-08-06 RHBA-2019:2351 | 3.10.0-1062 |
| RHEL 7.6 | 2018-10-30 | 2018-10-30 RHBA-2018:3014 | 3.10.0-957 |
| RHEL 7.5 | 2018-04-10 | 2018-04-10 RHEA-2018:0700 | 3.10.0-862 |
| RHEL 7.4 | 2017-07-31 | 2017-07-31 RHBA-2017:1850 | 3.10.0-693 |
| RHEL 7.3 | 2016-11-03 | 2016-11-03 RHEA-2016-2544 | 3.10.0-514 |
| RHEL 7.2 | 2015-11-19 | 2015-11-19 RHEA-2015:2461 | 3.10.0-327 |
| RHEL 7.1 | 2015-03-05 | 2015-03-05 RHEA-2015:0524 | 3.10.0-229 |
| RHEL 7.0 GA | 2014-06-09 | – | 3.10.0-123 |
| RHEL 7.0 Beta | 2013-12-11 | – | 3.10.0-54.0.1 |
Check the latest kernel versions for older RHEL here.
We hope this post will help you in knowing How to Fix CVE-2021-43267- A Heap Overflow Vulnerability in Linux Kernel’s TIPC Module. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270071.html