Three recently unearthed vulnerabilities in the Linux kernel, located in the iSCSI module used for accessing shared data storage facilities, could allow root privileges to anyone with a user account.
The trio of flaws – CVE-2021-27363, CVE-2021-27364 and CVE-2021-27365 – have lurked in Linux code since 2006 without detection until GRIMM researchers discovered them.
“If you already had execution on a box, either because you have a user account on the machine, or you've compromised some service that doesn't have repaired permissions, you can do whatever you want basically,” said Adam Nichols, principal of the Software Security practice at GRIMM.
While the vulnerabilities “are in code that is not remotely accessible, so this isn’t like a remote exploit,” said Nichols, they are still troublesome. They take “any existing threat that might be there. It just makes it that much worse,” he explained. “And if you have users on the system that you don't really trust with root access it, it breaks them as well.”
Referring to the theory that ‘many eyes make all bugs shallow,' Linux code "is not getting many eyes or the eyes are looking at it and saying that seems fine,” said Nichols. “But, [the bugs] have been in there since the code was first written, and they haven't really changed over the last 15 years.”
As a matter of course, GRIMM researchers try “to dig in” and see how long vulnerabilities have existed when they can – a more feasible proposition with open source.
That the flaws slipped detection for so long has a lot to do with the sprawl of the the Linux kernel. It “has gotten so big” and “there's so much code there,” said Nichols. “The real strategy is make sure you're loading as little code as possible.”
The bugs are in all Linux distributions, Nichols said, although the kernel driver is not loaded by default. Whether a normal user can load the vulnerable kernel module varies. They can, for instance, on all Red Hat based distros that GRIMM tested, he said. “Even though it's not loaded by default, you can get it loaded and then of course you can exploit it without any trouble.”
The vulnerabilities exist then in Debian-based systems as well, but are leveraged differently. Specifically, when the user tries to load that driver, the setup scripts check to see if the iSCSI hardware is there; if it's not, the install stops. For Red Hat, the driver will be loaded, whether the hardware is there or not, Nichols said.
If the hardware is present, though, then other systems like Debian and Ubuntu “are in the same boat as Red Hat, where the user, depending on what packages are installed, can coerce it into getting loaded; then it's there to be exploited,” he said.
The bugs have been patched in the following kernel releases: 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260. All older kernels are end-of- life and will not receive patches.
As a temporary measure to neutralize the flaws, Nichols recommends blacklisting the kernel if its’s not being used. "Any system that doesn't use that module can just say never load this module under any circumstances, and then you're kept safe,” he said. But “if you’re actually using iSCSI, then you wouldn't want to do that.”