Positive Technologies researcher Alexander Popov found five high severity vulnerabilities in the Linux kernel that could lead to local privilege escalation.
The Linux kernel vulnerabilities are race conditions that reside in AF_VSOCK implementation, they were implicitly introduced in November 2019 in the commits c0cfa2d8a788fcf4 and 6a2c0962105ae8ce that added VSOCK multi-transport support.
A race condition is the condition of an electronics, software, or other system where the system’s substantive behavior is dependent on the sequence or timing of other uncontrollable events. It becomes a bug when one or more of the possible behaviors is undesirable.
The race conditions stems in wrong locking in net/vmw_vsock/af_vsock.c.
“CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS are shipped as kernel modules in all major GNU/Linux distributions. The vulnerable modules are automatically loaded when you create a socket for AF_VSOCK. That is available for unprivileged users and user namespaces are not needed for that. These vulnerabilities are race conditions caused by wrong locking in net/vmw_vsock/af_vsock.c.” wrote Popov. “The race conditions were implicitly introduced in November 2019 in the commits c0cfa2d8a788fcf4 and 6a2c0962105ae8ce that added VSOCK multi-transport support. These commits were merged in the Linux kernel v5.5-rc1.”
The issues, collectively tracked as CVE-2021-26708, were introduced in kernel version 5.5 in November 2019, they received a CVSS score of 7.0,
The expert successfully developed a PoC exploit for local privilege escalation on Fedora 33 Server, it could allow bypassing x86_64 platform protections such as SMEP and SMAP.
The patch has been merged into mainline kernel version 5.11-rc7 and backported into affected stable trees.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Linux)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.