A 15-year old Vulnerability Exposes Linux to Privilege Escalation Attacks
Posted on Sep 29, 2021 | By Surojoy Gupta
A critical security flaw in the Linux kernel went unpatched for 15 years till attackers used it to gain local privilege escalation, escape the Kubernetes pod and obtain root privileges on Linux systems. Read our analysis where we look into the vulnerability’s characteristics and the impact it can have.
In April 2021, a critical vulnerability was reported in Netfilter - the Linux kernel security group - that was reportedly patched shortly thereafter. The public announcement and a proof-of-concept were shared after July 7, 2021, allowing organizations ample time to patch vulnerable systems.
The flaw in the Netfilter code uses memset(), a buffer function that is used to fill a block of memory with a particular value, to set four bytes in the memory to a value of zero. This seemingly innocuous memory address value issue, however, can lead to root access for an attacker who has gained privileged access to the system and allows them to control and set the kernel memory values from an unprivileged user process. Simply put, the vulnerability allows a local user to gain root privileges in the system in spite of being in an insulated container.
The Netfilter vulnerability (CVE-2021-22555) has existed for 15 years since the Linux kernel 2.6.19 was launched. The vulnerability is caused by a bug in two drivers in the kernel which causes a buffer overflow when it sends special parameters in compact mode via the setsockopt function. Here is our analysis of the vulnerability:
CVE-2021-22555 is a heap out-of-bounds write vulnerability that allows an attacker to gain privileged access or cause a denial of service via heap memory corruption.
Classified under the weakness enumeration, CWE-787 (Out-of-bounds Write), the severe vulnerability has a CVSS v3 score of 7.8.
CWE-787 is categorized as the most dangerous vulnerability in MITRE’s latest CWE Top 25 list.
A patch was released for the vulnerability in July 2021.
On August 23, 2021, a list of 15 vulnerabilities that are known to be actively exploited in the wild or have proofs-of-concept (PoC), was published online. These vulnerabilities have been used numerous times to attack Linux-based systems in the past.
Linux Netfilter Proof-of-Concept
Upgrade your Linux version now to mitigate the vulnerability.
CVE-2021-22555 is a vulnerability that has existed in Linux kernel versions since 2006. While it is surprising that a vulnerability in such a popular product remained hidden for over a decade, it also goes to show how the advancement of technology also has its negative side. Back when the version was released, the resources to escalate privileges did not exist, like unprivileged user namespaces which were introduced in version 3.8. Neither were threat actors as sophisticated as they are today, adopting complex tactics and going after not just the critical flaws, but easily overlooked ones like the 7.8 scoring Linux vulnerability.
A kernel vulnerability in a Linux OS takes high importance as this is the core interface between hardware and software processes, and is responsible for managing resources. Organizations need to act on the fly and ensure the loophole is patched without delay. An agile patching solution must take precedence over regular vulnerability fixes in such cases, for organizations to stay ahead of perpetually ravenous attackers.
CSW can help organizations stay ahead of threats and prevent falling victim to attacks. Connect with us to know how.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!