In the kernel's iSCSI subsystem code Linux A vulnerability (CVE-2021-27365) has been identified that allows an unprivileged local user to execute kernel-level code and gain root privileges on the system. A working exploit prototype is available for testing. The vulnerability has been fixed in kernel updates. Linux 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260. Kernel package updates are available in the distributions Debian, Ubuntu, SUSE/openSUSE, Arch Linux and Fedora. No patches have been released for RHEL yet.
The problem is caused by an error in the iscsi_host_get_param() function from the libiscsi module, introduced back in 2006 during the development of the iSCSI subsystem. Due to the lack of proper size checks, some iSCSI string attributes, such as hostname or username, may exceed the PAGE_SIZE (4 KB) value. The vulnerability could be exploited by an unprivileged user sending Netlink messages that set iSCSI attributes to values greater than PAGE_SIZE. When these attributes are read via sysfs or seqfs, code is called that passes the attributes to the sprintf function to be copied into a buffer whose size is PAGE_SIZE.
Exploitation of the vulnerability in distributions depends on support for automatic loading of the scsi_transport_iscsi kernel module when trying to create a NETLINK_ISCSI socket. On distributions where this module is loaded automatically, an attack can be made regardless of the use of iSCSI functionality. At the same time, for the successful application of the exploit, registration of at least one iSCSI transport is additionally required. In turn, you can use the ib_iser kernel module, which is loaded automatically when an unprivileged user tries to create a NETLINK_RDMA socket, to register the transport.
Automatic loading of modules required for exploit use is supported in CentOS 8, RHEL 8, and Fedora when installing the rdma-core package, which is a dependency for several popular packages and is installed by default in workstation, GUI-based server, and virtualization host configurations. However, rdma-core is not installed when using a console-only server build or when installing a minimal installation image. For example, the package is included in the base Fedora 31 Workstation distribution, but not in Fedora 31 Server. Debian и Ubuntu are less susceptible to the problem, since the rdma-core package loads the kernel modules required for the attack only if RDMA hardware is present.
As a security workaround, you can disable the automatic loading of the libiscsi module: echo "install libiscsi /bin/true" >> /etc/modprobe.d/disable-libiscsi.conf
Additionally, two more less dangerous vulnerabilities have been fixed in the iSCSI subsystem that could lead to data leakage from the kernel: CVE-2021-27363 (leakage of information about the iSCSI transport descriptor through sysfs) and CVE-2021-27364 (reading from an out-of-bounds buffer area) . These vulnerabilities can be used to communicate via a netlink socket with the iSCSI subsystem without the necessary privileges. For example, an unprivileged user can connect to iSCSI and send an "end a session" command to terminate the session.
Source: opennet.ru
