Vulnerability Management, Patch/Configuration Management

Linux kernel patches remote stack overflow bug

Oracle CEO Larry Ellison delivers a keynote address at the 2006 Oracle OpenWorld conference Oct. 25, 2006, in San Francisco.  (Photo by Justin Sullivan/Getty Images)

Appgate detailed a newly disclosed and newly patched Linux kernel bug Tuesday that could cause local and remote code execution, and denial of service.

The bug is a stack overflow in the Transparent Inter-Process Communication (TIPC) service, the cluster domain socket service in Linux. Different nodes in TIPC communicate using messages and, while TIPC was designed to check to see if a minimum message length is met, it did not check if a maximum message length was met. Exceeding the maximum causes the overflow.

"The vulnerability has been present since the TIPC monitoring framework was introduced in June 2016, impacting versions 4.8 through to 5.17-rc3. A patch has been released; updating systems to include that patch is the best way to mitigate the vulnerability. In the meantime, if you’re not using TIPC, you can blacklist the module to reduce your attack surface," said Samuel Page, senior exploit developer for Appgate Threat Advisory Services, in a statement. Page discovered the vulnerability.

"If you need to use TIPC and can’t immediately patch your system, look to enforce configurations that prevent or limit the ability for attackers to imitate nodes in your cluster. Options include TIPC protocol level encryption, IPSec/MACSec and network separation," he continued.

In the blog post, Page explained that he found the new TIPC vulnerability exploring an old one, as he played around with CVE-2021-43267. CVE-2021-43267 was discovered by SentinelLabs and published in November.

The new vulnerability was reported last month. In the process of patching, Page wrote in his blog post, "another issue regarding [an] overflow was spotted by Eric Dumazet, a fix for which is also included in the final patch by Jon Maloy."

The vulnerability was disclosed on Jan. 27 with a patch first available on Feb. 5.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.