Two vulnerabilities in the way the Linux kernel handles the conversion of specific data types could allow a malicious user to turn a local, unprivileged user account into a superuser account with root privileges, stated vulnerability management firm Qualys in an advisory published on July 20.
The vulnerabilities, confirmed by Red Hat and other vendors of Linux distributions, affect the Linux kernel starting with version 3.16, which was released in August 2014. Qualys security researchers confirmed the vulnerability and developed a proof-of-concept exploit to obtain full root privileges on the latest default installations of Ubuntu, Debian, and Fedora Workstation.
The vulnerability is not considered critical, as an attacker would have to be an authorized user of the system, but it should be patched as soon as possible, says Bharat Jogi, a senior manager of vulnerability and threat research at Qualys.
"We would classify this as an important vulnerability to patch," he says. "This vulnerability affects the Linux kernel’s filesystem layer, which is the most important function of any operating system and affects all major Linux operating systems in their default configuration."
The Linux kernel — the core software that manages Linux systems — has come under increasing scrutiny by security researchers. In April, a group of University of Minnesota researchers were banned from submitting suggested changes to the Linux maintainers after the researchers publicized a project in which they submitted vulnerable code to the developers maintaining the kernel — code that could have made it into a production release.
Kernel vulnerabilities that allow attackers to escalate privileges on Linux systems are uncommon, but not rare. In 2018, Qualys found another vulnerability in the kernel, an integer overflow, that would allow an attacker to escalate privileges. In 2016, another security firm found a similar privilege-raising issue.
The two vulnerabilities found by Qualys — CVE-2021-33909 and CVE-2021-33910 — allow an attacker "to mount a filesystem on a very long path, to crash systems and the whole system by allocating a very large space in the stack," stated Red Hat in its advisory for CVE-2021-33910. "The highest threat from this vulnerability is to the system availability."
Qualys further detailed the attack, saying that "if an unprivileged local attacker creates, mounts, and deletes a deep directory structure whose total path length exceeds 1GB," they can trigger the other vulnerability, CVE-2021-33909.
"The most likely attack scenario is from an internal threat where a malicious user is able to escalate from no privileges whatsoever to full root privileges," Qualys's Jogi says. "From an external threat perspective, if an attacker has been able to gain foothold on a system via another vulnerability or a password breach, etc., the attacker can now escalate to full root privileges via this vulnerability."
Red Hat confirmed the issue in an advisory published on July 20 and warned that other products, such as the OpenShift Container Platform, OpenStack, and Red Hat Virtualization, could be affected.
"The issue results from not validating the size_t-to-int conversion prior to performing operations," the company stated in the advisory. "Any Red Hat product which relies on the Red Hat Enterprise Linux kernel is also potentially impacted."
The fact that a vulnerability has managed to hide from security researchers for seven years is not surprising. Earlier this year, Qualys discovered more than 21 vulnerabilities in the Exim mail server that attackers — including nation-state cyber operators — have targeted in the past.
While the scrutiny put on open source software is supposed to result in the quick discovery of vulnerabilities, most open source components do not get the attention they deserve, says Qualys's Jogi.
"In a perfect world, there would be no bugs in commercial or open source software, but unfortunately that isn’t the world we live in," he says. "Even in this popular mail server [Exim], we discovered vulnerabilities lying in wait since 2004. While open source has made auditing of bugs more accessible, we still need more eyes diligently looking to identify vulnerabilities."
Qualys, Red Hat and other vendors recommended that all administrators of Linux systems upgrade to the latest version of the Linux kernel, version 5.13.4, which was released on July 20. The Mac OS operating system, which is somewhat based on a variant of BSD Unix, is not vulnerable.