Vulnerability in Linux kernel could let hackers remotely take over systems
Heap overflow attacks can exploit TIPC module in all common Linux distributions
Security researchers have discovered a heap overflow vulnerability in the Transparent Inter-Process Communication (TIPC) module of the kernel of Linux operating systems. Hackers could exploit the vulnerability locally or remotely within a network to gain kernel privileges.
Researchers at SentinelLabs said the vulnerable TIPC module is included in all common Linux distributions but the user must load it to activate the protocol. By exploiting the vulnerability, attackers can compromise the entire system, potentially leading to grave consequences.
TIPC is a protocol that enables the nodes in a cluster to communicate efficiently while remaining fault-tolerant. The protocol is implemented in a kernel module that is included in all common Linux distributions. When loaded by a user, it can be used as a socket and configured as an unprivileged user on an interface with netlink (or with the userspace tool tipc, which makes these netlink calls).
In September 2020, a new user message type called MSG_CRYPTO was introduced. This enables the sending and exchanging of cryptographic keys, which is the origin of the flaw.
The possibility of configuration starting from an unprivileged local level and the risk of exploitation from a distance make this a hazardous weak point for all those who use affected systems in their networks. It is particularly worrying that an attacker who exploited this vulnerability could execute arbitrary code within the kernel, potentially resulting in outsiders completely compromising the system.
RELATED RESOURCE
ITSM workflow handbook: No more "If only IT could do X"
What you need to deliver resilient AI-powered service operations that delight employees
“As for the data being overwritten, at first glance it may look like the overflow will have uncontrolled data, since the actual message size used to allocate the heap location is verified,” said researchers.
“However, a second look at the message validation function shows that it only checks that the message size in the header is within the bounds of the actual packet. That means that an attacker could create a 20-byte packet and set the message size to 10 bytes without failing the check.”
On October 19, SentinelLabs reported the findings. In cooperation with the Linux Foundation and one of the TIPC managers, the security researchers created a patch that has been available since October 29th and has been available in current Linux versions (after 5.15) since October 31st.
As the vulnerability was discovered within a year of its introduction to the code base, TIPC users should check whether their Linux kernel version is between 5.10-rc1 and 5.15 and, if necessary, update it.
As of this writing, SentinelOne has not found any evidence of cyber criminals’ successful misuse of the protocol.
-
Oracle leans on one-size-fits-all appeal of OCI for enterprisesOpinion Oracle sees its neutral approach to AI deployment, full-stack scalability, and commitment to sovereign deployment as its USPs in the age of agentic AI
-
Everything you need to know about GitHub's new AI training policyNews Users of certain GitHub Copilot plans will have interaction data used to train AI models, but can opt out
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Experts welcome EU-led alternative to MITRE's vulnerability tracking schemeNews The EU-led framework will reduce reliance on US-based MITRE vulnerability reporting database
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
Two Fortinet vulnerabilities are being exploited in the wild – patch nowNews Arctic Wolf and Rapid7 said security teams should act immediately to mitigate the Fortinet vulnerabilities
