Linux Kernel Bug Allows Remote Control
A critical, heap-overflow vulnerability in the Transparent Inter Process Communication (TIPC) module of the Linux kernel can lead to remote code execution and system compromise. TIPC is a peer-to-peer protocol used by nodes within a Linux cluster to communicate with each other in an optimized way. It allows various types of messages used for different purposes. According to SentinelLabs, the bug is in a message type that allows nodes to send cryptographic keys to each other. When received, the keys can be used to decrypt further communications from the sending node.
According to SentinelLabs researcher Max Van Amerongen, TIPC can be used as a socket and can be configured on an interface as an unprivileged user. When loaded by a user. All message construction and parsing is performed in the kernel and makes it an ideal target for attack. When it comes to message construction, every TIPC message has a common header format. According to the researcher, the common header contains a header size allocation, which is the actual header size shifted to the right by two bits. It also contains a message size allocation that is equal to the length of the entire TIPC message. If the message size is correctly validated as greater than the header size, the payload size is validated against the maximum user message size, and the message size is validated against the actual received packet length. However, a new message type was introduced in September 2020 that lacks such size validations, opening the door to a heap-overflow exploit.
The additional message type, MSG_CRYPTO, allows peers to send cryptographic keys to each other. The messages contain the name of the key algorithm and the key itself. The size allocation for this is the message size itself, minus the header size. However, there are no size-validation checks for either the key length or the size of the key against the message size. This means that a hacker can create a packet with a small body size to allocate heap memory, and then use an arbitrary size in the key length attribute to write outside the bounds of this location. Also, the message-validation function only checks that the message size in the header is within the bounds of the actual packet. A hacker could create a 20-byte packet and set the message size to 10 bytes without failing the check.
The bug affects Linux kernel versions between 5.10 and 5.15. While the TIPC module comes with all major Linux distributions, it's not turned on by default and does need to be enabled to be vulnerable to attack. Linux users should apply the patch, which adds appropriate size-verification checks to the process. While TIPC itself isn't loaded automatically by the system but by end users, the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation makes this dangerous for those that use it in their networks. A hacker that exploits this vulnerability could execute arbitrary code within the kernel, leading to a complete compromise of the system.