A critical vulnerability (CVE-2021-43267) has been identified in the implementation of the TIPC (Transparent Inter-process Communication) network protocol supplied in the Linux kernel, which allows remote code execution with kernel privileges by sending a specially designed network packet. The danger of the problem is mitigated by the fact that the attack requires explicitly enabling TIPC support in the system (loading and configuring the tipc.ko kernel module), which is not done by default in non-specialized Linux distributions.
The TIPC protocol has been supported since the Linux 3.19 kernel, but the code leading to the vulnerability was included in the 5.10 kernel. The vulnerability has been fixed in kernels 5.15.0, 5.10.77 and 5.14.16. The issue appears and has yet to be fixed in Debian 11, Ubuntu 21.04/21.10, SUSE (in the as yet unreleased SLE15-SP4 branch), RHEL (whether the vulnerable fix has been backported is yet to be detailed), and Fedora. A kernel update has already been released for Arch Linux. Distributions older than 5.10, such as Debian 10 and Ubuntu 20.04, are not affected.
The TIPC protocol was originally developed by Ericsson, is designed to organize inter-process communication in a cluster and is activated mainly on cluster nodes. TIPC can work both over Ethernet and over UDP (network port 6118). When working over Ethernet, an attack can be made from the local network, and when using UDP, from the global network, if the port is not covered by a firewall. The attack can also be carried out by an unprivileged local user of the host. To activate TIPC, you need to load the tipc.ko kernel module and set up binding to a network interface using netlink or the tipc utility.
The vulnerability manifests itself in the tipc_crypto_key_rc function and is caused by the lack of proper verification of the correspondence between the header and the actual data size when parsing packets with the MSG_CRYPTO type used to obtain encryption keys from other nodes in the cluster in order to decrypt messages sent from these nodes. The size of the data copied to memory is calculated as the difference between the values ββof the fields with the message size and the header size, but without taking into account the actual size of the name of the encryption algorithm transmitted in the message and the contents of the key. It is assumed that the size of the algorithm name is fixed, and a separate attribute with a size is additionally passed for the key, and the attacker can specify a value in this attribute that differs from the actual value, which will lead to the message tail being written outside the allocated buffer. struct tipc_aead_key { char alg_name[TIPC_AEAD_ALG_NAME]; unsigned intkeylen; /* in bytes */ char key[]; };
Source: opennet.ru