Researchers have discovered a remotely exploitable stack buffer overflow in a commonly used Linux kernel module that has been present for more than five years.
The bug is in the kernel networking module for the Transparent Inter-Process Communication (TIPC) protocol, which is used for communications between clusters. The messages can be sent over either UDP or ethernet, and Samuel Page, a senior exploit developer at Appgate, discovered the stack overflow in TIPC while looking at a previously discovered heap overflow that was disclosed in November. The earlier vulnerability (CVE-2021-43267) allowed an attacker to gain kernel-level privileges either locally or remotely.
The newer bug (CVE-2022-0435), disclosed Tuesday, can give an attacker the ability to cause a denial-of-service, or in some cases, code execution.
“Exploitation is trivial and can lead to denial of service via kernel panic. In the absence, or bypass, of stack canaries/KASLR the vulnerability can lead to control flow hijacking with an arbitrary payload,” the advisory from Appgate says.
The vulnerability is present in versions 4.8 through 5.17-rc3 of the Linux kernel, and a patch is available now. Upgrading to the patched version is the simplest defense against this flaw, but for organizations that can’t upgrade immediately, Page recommends enforcing a configuration that prevents an attacker from impersonating a node in their clusters, such as using TIPC-level encryption.
“The vulnerability lies in the fact that during the initial sanity checks, the function doesn't check that member_cnt is below MAX_MON_DOMAIN which defines the maximum size of the members array. By pretending to be a peer node and establishing a link with the target, locally or remotely, we're able to first submit a malicious domain record containing an arbitrary payload; so long as the len/member_cnt fields match up for the sanity checks, this will be kmallocated fine,” Page said in the advisory.
“Next, we can send a newer domain record which will cause the previous malicious record to be memcpy'd into a 272 bytes local struct tipc_mon_domain &dom_bef triggering a stack overflow.”
There are some restrictions on the ways in which an attacker can exploit this vulnerability.
“It’s worth noting here, from an exploitation context, that a remote attacker is restricted by the TIPC media types the target has already set up. Locally, if the module is loaded, an attacker can use the underlying netlink communications to configure a bearer (credit to bl@sty for his work on CVE-2021-43267). They won’t, however, have permissions to send raw ethernet frames, leaving a UDP bearer the likely option,” Page said.