SentinelLabs recently shared a detailed post about a heap overflow vulnerability affecting Linux devices. This heap overflow bug affects all Linux distros Kernel TIPC module.
TIPC, or Transparent Inter Process Communication, is a dedicated module meant for cluster-wide communication operations such as service addressing, service tracking, group messaging, and more.
The researchers found this vulnerability while analyzing Linux Kernel source code via the CodeQL tool. CodeQL is a semantic code analysis engine that can also help in finding bugs as it allows running queries on code.
Using this tool, the researcher found the heap overflow vulnerability exploiting which could allow an adversary to gain kernel-level privileges.
Elaborating on the exact issue in the TIPC module, the post reads,
The Header Size and the Message Size are both validated against the actual packet size. So while these values are guaranteed to be within the range of the actual packet, there are no similar checks for either the
keylenmember of the
MSG_CRYPTOmessage or the size of the key algorithm name itself (
TIPC_AEAD_ALG_NAME) against the message size. This means that an attacker can create a packet with a small body size to allocate heap memory, and then use an arbitrary size in the
keylenattribute to write outside the bounds of this location.
An adversary could exploit this flaw both locally and even remotely. Hence, it posed a serious security risk to Linux systems.
Upon discovering the bug, identified as CVE-2021-43267, the researcher reached out to Kernel.org to report the matter. This bug potentially affects Linux kernel versions 5.10-rc1 and 5.15.
The developers have fixed the bug with the release of kernel version 5.15. Users should ensure they update to this version at the earliest opportunity.