Cybersecurity researchers have discovered a vulnerability in the Linux kernel’s Transparent Inter Process Communication (TIPC) module. It could be exploited locally and remotely to execute arbitrary code within the kernel and take control of susceptible devices.
According to a report by cybersecurity firm SentinelOne, the heap overflow flaw may be exploited locally or remotely within a network to obtain kernel privileges, allowing an attacker to compromise the whole machine.
TIPC is a transport layer protocol that allows nodes in dynamic cluster settings to connect with one other in a more efficient and fault-tolerant way than other protocols like TCP. SentinelOne discovered a vulnerability in a new message type called “MSG_CRYPTO,” which allows peer nodes in a cluster to communicate cryptographic keys.
While the protocol checks such messages after decryption to verify that the actual payload size does not exceed the maximum user message size and that the latter is more significant than the message header size, no constraints on the length of the key (aka ‘keylen’) itself were detected.
Thus, “an attacker can generate a packet with a tiny body size to allocate heap memory, and then write outside the confines of this location using an arbitrary size in the ‘keylen’ property.”
So far, there isn’t any sign that the vulnerability has been exploited in real-world operations, and the problem was patched in Linux Kernel version 5.15, which was published on October 31, 2021.
According to Linux kernel maintainers, the function tipc_crypto_key_rcv is employed to parse MSG_CRYPTO messages to obtain keys from other nodes in the cluster to decode any additional messages from them. This patch ensures that any sizes specified in the message body are correct for the message received.
Although end users, not the system, load TIPC, the ability to configure it from an unprivileged local perspective and the prospect of remote exploitation make this a critical vulnerability for those who employ it on their networks.