Three bugs in the mainline Linux kernel that turned out to be about 15 years old, have been discovered by GRIMM researchers. The bugs affected the SCSI (Small Computer System Interface) kernel subsystem and Linux iSCSI subsystem. GRIMM researchers have provided a Proof of Concept (PoC) to demonstrate the exploitability of the vulnerabilities found.
What is SCSI?
SCSI is a venerable standard initially published in 1986 and was the go-to for server setups, and iSCSI is SCSI over TCP. SCSI is still in use today. ISCSI (Internet Small Computer System Interface) is a transport layer protocol that describes how Small Computer System Interface (SCSI) packets should be transported over a TCP/IP network.
Here are the three vulnerabilities:
- Heap buffer overflow (CVE-2021-27365)
- Kernel pointer leak (CVE-2021-27363)
- Out-of-bounds kernel memory read (CVE-2021-27364)
The three bugs allow a primary local user to gain root privileges. An attacker can bypass security measures like the Kernel Address Space Layout Randomization (KASLR), Supervisor Mode Access Prevention (SMAP), Kernel Page-Table Isolation (KPTI), and Supervisor Mode Execution Protection (SMEP). At the beginning of the march, patches became available in the mainline Linux kernel.
Impact flowchart
According to Adam Nichols, a GRIMM security researcher, security flaws exist on all Linux distributions. On CentOS 8, RHEL 8, and Fedora systems, unprivileged users can automatically load the required modules if the rdma-core package is installed. The following CentOS 8 and RHEL 8 Base Environments do NOT include this package in their initial installation, but it can be installed afterward via yum:
- Server
- Minimal Install
- Custom OS
The presence of loaded kernel modules relating to the iSCSI subsystem on machines that don’t have attached iSCSI devices is a potential indicator of compromise. An even greater indicator is the presence of the following log message in a host’s system logs:
localhost kernel: fill_read_buffer: dev_attr_show+0x0/0x40 returned bad count
FAQ
What is the most recent Linux kernel?
Currently, the most recent Linux kernel version is 6.1. The 6.2 version is expected to be released in the middle of February 2023.
How do you check the installed Linux kernel version?
You can check the Linux kernel version of your system with three different methods. You can simply use uname -r command to quickly check the Linux kernel version. You can also use cat /proc/version to check the version from a file. Installing the neofetch application is also an option to check the kernel version and it provides additional information about the other packages installed as well.
Can the Linux kernel be customized?
Yes, the Linux kernel can be customized. You can customize the Linux kernel by enabling or disabling specific options, and even adding new functionalities. But it’s a complicated process; you can check online guides about customizing the Linux kernel.
Is it legal to edit the Linux kernel?
Yes, it is legal to edit the Linux kernel since it is under General Public License.
Is the Linux kernel open source?
Yes, the Linux kernel is an open-source project.
Who developed the Linux kernel?
Linus Torvalds has developed and still developing the Linux kernel.
Does Linus Torvalds still work on Linux?
Yes, Linus Torvalds still works on developing the Linux kernel.
What is the Linux kernel written in?
Linux kernel code is written in the standard C programming language.