Linux kernel found to have a trio of 15-year-old vulnerabilities that could allow root access
Linux-based operating systems are generally recognized as being far more secure than the likes of Windows and macOS -- but that's not to say they're without their flaws. Illustrating precisely this is the discovery of no fewer than three vulnerabilities in the Linux kernel that could be exploited to gain root access to a system.
That researchers from cybersecurity firm GRIMM managed to find so many vulnerabilities in the Linux kernel is one thing, the fact that they have lain there undetected for 15 years is quite another.
The vulnerabilities (which are being tracked as CVE-2021-27363, CVE-2021-27364 and CVE-2021-27365) exist in the kernel's iSCSI module. While the exploitable module is not loaded by default, Linux kernel's support for on-demand loading of modules means that it can be easily called to action -- the exploit has been found to be possible in all tested version of Red Hat as well as other distributions.
Over on the GRIMM blog, security researcher Adam Nichols says:
We found three bugs in a forgotten corner of the mainline Linux kernel that turned out to be about 15 years old. Unlike most things that we find gathering dust, these bugs turned out to still be good, and one turned out to be useable as a Local Privilege Escalation (LPE) in multiple Linux environments.
Talking to security site SC Media, Nichols explains:
If you already had execution on a box, either because you have a user account on the machine, or you’ve compromised some service that doesn't have repaired permissions, you can do whatever you want basically.
There is something of a blessing in the fact that the vulnerabilities exist "in code that is not remotely accessible, so this isn't like a remote exploit" -- but this does not mean they are harmless. Nichols warns that that they take "any existing threat that might be there. It just makes it that much worse. And if you have users on the system that you don’t really trust with root access it, it breaks them as well".
In the blog post which details the three vulnerabilities, Nichols explains the type of systems that are affected:
In order for these bugs to be exposed to userland, the scsi_transport_iscsi kernel module must be loaded. This module is automatically loaded when a socket call that creates a NETLINK_ISCSI socket is performed. Additionally, at least one iSCSI transport must be registered with the iSCSI subsystem. The ib_iser transport module will be loaded automatically in some configurations when an unprivileged user creates a NETLINK_RDMA socket.
As SC Media explains: "The bugs have been patched in the following kernel releases: 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260. All older kernels are end-of- life and will not receive patches".
You can read more about the vulnerabilities in the full GRIMM write up here.