A vulnerability (CVE-2022-0435) has been identified in the Linux kernel module that ensures the operation of the TIPC (Transparent Inter-process Communication) network protocol, potentially allowing code to be executed at the kernel level by sending a specially crafted network packet. The issue only affects systems with the tipc.ko kernel module loaded and configured with the TIPC stack, which is typically used in clusters and is not enabled by default on non-specialized Linux distributions.
It is noted that when building the kernel in the "CONFIG_FORTIFY_SRC=y" mode (used in RHEL), which adds additional bounds checks to the memcpy () function, the operation is limited to an emergency stop (the kernel falls into the panic state). If executed without additional checks and if information about the canary marks used to protect the stack is leaked, the problem can be used to remotely execute code with kernel rights. The researchers who identified the problem say that the exploitation technique is trivial and will be revealed after the widespread elimination of the vulnerability in distributions.
The vulnerability is caused by a stack overflow that occurs when processing packets, the value of the field with the number of domain member nodes in which exceeds 64. To store node parameters in the tipc.ko module, a fixed array "u32 members[64]" is used, but in the process of processing the specified in the packet The node number does not check the value of "member_cnt", which allows values ββgreater than 64 to be used for controlled overwriting of data in the memory area next on the stack after the "dom_bef" structure.
The bug leading to the vulnerability was introduced on June 15, 2016 and became part of the Linux 4.8 kernel. The vulnerability was fixed in Linux kernel releases 5.16.9, 5.15.23, 5.10.100, 5.4.179, 4.19.229, 4.14.266, and 4.9.301. The problem remains unfixed in the kernels of most distributions: RHEL, Debian, Ubuntu, SUSE, Fedora, Gentoo, Arch Linux.
The TIPC protocol was originally developed by Ericsson, is designed to organize inter-process communication in a cluster and is activated mainly on cluster nodes. TIPC can work both over Ethernet and over UDP (network port 6118). When working over Ethernet, an attack can be made from the local network, and when using UDP, from the global network, if the port is not covered by a firewall. The attack can also be carried out by an unprivileged local user of the host. To activate TIPC, you need to load the tipc.ko kernel module and set up binding to a network interface using netlink or the tipc utility.
Source: opennet.ru