Sequoia: Linux kernel security flaw gives unprivileged users root access
A vulnerability has been discovered in the Linux kernel that makes it possible to gain root access on a number of popular distributions, including Ubuntu, Debian and Fedora. The flaw has been named Sequoia, and it exists in the filesystem layer.
The security issue is thought to affect all versions of the Linux kernel released since 2014, meaning that a large number of distros are vulnerable. Specifically, the flaw is a size_t-to-int type conversion vulnerability that can be exploited to elevate privileges.
- Microsoft has its own Linux distro called CBL-Mariner
- After waking up from PrintNightmare, Microsoft has a workaround for another Windows Print Spooler vulnerability
- HiveNightmare: Windows 10 and Windows 11 have a security vulnerability that can be exploited to gain administrative access to the registry
Writing about the findings, security researchers from Qualys says: "We discovered a size t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer".
The security firm explains what it was able to do:
We successfully exploited this uncontrolled out-of-bounds write, and obtained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation; other Linux distributions are certainly vulnerable, and probably exploitable. Our exploit requires approximately 5GB of memory and 1M inodes; we will publish it in the near future.
A proof-of-concept crasher has been published already, and this is available here.
The security researchers offer details of a workaround, but point out that they "prevent only our specific exploit from working (but other exploitation techniques may exist)":
- Set /proc/sys/kernel/unprivileged_userns_clone to 0, to prevent an attacker from mounting a long directory in a user namespace. However, the attacker may mount a long directory via FUSE instead; we have not fully explored this possibility, because we accidentally stumbled upon CVE-2021-33910 in systemd: if an attacker FUSE-mounts a long directory (longer than 8MB), then systemd exhausts its stack, crashes, and therefore crashes the entire operating system (a kernel panic).
- Set /proc/sys/kernel/unprivileged_bpf_disabled to 1, to prevent an attacker from loading an eBPF program into the kernel. However, the attacker may corrupt other vmalloc()ated objects instead (for example, thread stacks), but we have not investigated this possibility.
Qualys says that in order to completely fix this vulnerability, the kernel must be patched, and there is no suggestion of when this might happen.