Three bugs in the mainline Linux kernel that turned out to be about 15 years old, have been discovered by GRIMM researchers. The bugs affected the SCSI (Small Computer System Interface) kernel subsystem and Linux iSCSI subsystem. GRIMM researchers have provided a Proof of Concept (PoC) to demonstrate the exploitability of the vulnerabilities found.
What is SCSI?
SCSI is a venerable standard initially published in 1986 and was the go-to for server setups, and iSCSI is SCSI over TCP. SCSI is still in use today. ISCSI (Internet Small Computer System Interface) is a transport layer protocol that describes how Small Computer System Interface (SCSI) packets should be transported over a TCP/IP network.
Here are the three vulnerabilities:
- Heap buffer overflow (CVE-2021-27365)
- Kernel pointer leak (CVE-2021-27363)
- Out-of-bounds kernel memory read (CVE-2021-27364)
The three bugs allow a primary local user to gain root privileges. An attacker can bypass security measures like the Kernel Address Space Layout Randomization (KASLR), Supervisor Mode Access Prevention (SMAP), Kernel Page-Table Isolation (KPTI), and Supervisor Mode Execution Protection (SMEP). At the beginning of the march, patches became available in the mainline Linux kernel.
Impact flowchart
According to Adam Nichols, a GRIMM security researcher, security flaws exist on all Linux distributions. On CentOS 8, RHEL 8, and Fedora systems, unprivileged users can automatically load the required modules if the rdma-core package is installed. The following CentOS 8 and RHEL 8 Base Environments do NOT include this package in their initial installation, but it can be installed afterward via yum:
- Server
- Minimal Install
- Custom OS
The presence of loaded kernel modules relating to the iSCSI subsystem on machines that don’t have attached iSCSI devices is a potential indicator of compromise. An even greater indicator is the presence of the following log message in a host’s system logs:
localhost kernel: fill_read_buffer: dev_attr_show+0x0/0x40 returned bad count