Binary code against blue background showing Linux vulnerability

Fifteen-Year-Old Linux Vulnerability Allows Local Privilege Escalation, Information Leak, and Denial of Service

Researchers discovered three vulnerabilities capable of granting attackers root privileges on Linux operating systems.

The bugs affect the iSCSI kernel subsystem and have existed for more than 15 years. However, an attacker must gain access to the Linux systems through other methods before exploiting the bugs.

Similarly, The Zero Day Initiative (ZDI) researchers uncovered another decade and a half old Linux vulnerability affecting ISC BIND servers configured to use GSS-TSIG features.

The discovery of old but active bugs underscores the need for open-source maintainers to monitor external modules to ensure they observe the best security practices, according to the ZDI.

Three faults associated with the iSCSI Linux vulnerability allow local privilege escalation

The three bugs CVE-2021-27363, CVE-2021-27364, and CVE-2021-27365, associated with Linux iSCSI vulnerability allow a basic local user to gain root privileges.

They allow an attacker to bypass security measures such as the Kernel Address Space Layout Randomization (KASLR), Supervisor Mode Access Prevention (SMAP), Kernel Page-Table Isolation (KPTI), and Supervisor Mode Execution Protection (SMEP).

Adam Nichols, a GRIMM security researcher, says that the security flaws exist on all Linux distributions. Fortunately, the exploitable iSCSI modules are not loaded by default.

For example, the scsi_transport_iscsi kernel module is only loaded on demand. Nichols explained that the Linux kernel only loads the module after detecting new hardware or a missing module.

However, an attacker could trigger a missing module detection to load the vulnerable modules and exploit their vulnerability.

“In an effort to be helpful and improve compatibility, the Linux kernel can load kernel modules on-demand if particular code notices some functionality is needed and can be loaded, like support for uncommon protocol families. This is helpful, but it also opens up the attack surface for local attackers because it allows unprivileged users to load obscure kernel modules which they can then exploit.”

The vulnerability of loading modules on demand was usually understood, but the security patches suggested by Dan Rosenberg in 2010 were never adopted.

Nichols noted that unprivileged users could load required modules on CentOS 8, Fedora, and RHEL 8 Linux distribution if the rdma-core package were present.

However, Debian and Ubuntu Linux systems only load the two required modules if an RDMA hardware was also present. This pre-condition reduces the chances of threat actors exploiting the vulnerability.

Another Linux vulnerability allows remote code execution

Meanwhile, ZDI researchers say that another fifteen-year-old Linux vulnerability, CVE-2020-8625 could theoretically allow remote code execution.

The bug affects the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) component. It causes a 4-byte heap overflow and could be remotely triggered without authentication.

Surprisingly, these Linux vulnerabilities have escaped the attention of the open-source software contributors and maintainers since 2006.

“It is potentially interesting to the cyber community in light of the revelations of the Microsoft Exchange, F5, Accellion, and SolarWinds flaws, that our open-source systems are just as vulnerable – and in this case, the exposure has been for far longer,” says Garret Grajek, CEO at YouAttest. “The key to remember is that all of our systems are under attack,”

Saryu Nayyar, CEO of Gurucul, wonders how the iSCSI Linux vulnerability remained undetected for so long.

“The recently revealed vulnerability in the iSCSI Linux kernel module is interesting in that it remained unnoticed for so long. Historically the Open-Source Linux kernel has had the benefit of many eyes on the code, which would often quickly identify and correct problems like this.”

Commenting on the fifteen-year-old Linux vulnerability, Michael Mitama, CEO at THETA432, says:

“The findings by GRIMM are the reason why classic vulnerability scanning and testing are not enough. This requires consistent threat emulation and threat modeling with not only pentesters but also bug bounty hunters and threat hunters on the team specializing in Linux-based systems to assist in identifying these flaws.”