Linux kernel’s support for older hardware means some systems are vulnerable to flaws found in fifteen-year-old SCSI and iSCSI drivers
Some distributions of Linux are vulnerable to three fifteen-year-old vulnerabilities that have only recently been discovered and patched, researches say.
The bugs were introduced in 2006, but were recently discovered by security firm Grimm, which said they had been found in a “forgotten corner of the mainline Linux kernel“.
“Unlike most things that we find gathering dust, these bugs turned out to still be good, and one turned out to be useable as a Local Privilege Escalation (LPE) in multiple Linux environments,” wrote Grimm researcher Adam Nichols in an advisory.
The most serious of the three, CVE-2021-27365, has a high 7.8 risk level and can be used by a local attacker with basic access privileges to obtain root privileges by triggering a heap buffer overflow, Nichols said.
The flaw was introduced when the iSCSI subsystem was first being developed, he said.
“The vulnerability is triggered by setting an iSCSI string attribute to a value larger than one page, and then trying to read it,” he wrote.
While the bug itself requires local access to exploit, it can be used in combination with remotely exploitable bugs to pose more of a danger to Linux systems.
SCSI and iSCSI are used to handle venerable types of storage systems, but the drivers in question can be loaded by default on some distributions, or attackers can cause them to load, Nichols said.
Compatibility vs. security
“The presence of loaded kernel modules relating to the iSCSI subsystem on machines that don’t have attached iSCSI devices is a potential indicator of compromise,” he wrote.
The second most-serious bug, CVE-2021-27364, can cause an information leak or a denial-of-service. Nichols said Grimm has developed a proof-of-concept exploit for both of these flaws.
The third issue could allow an information leak only, making it less serious.
Nichols said old flaws can pose a threat to modern Linux systems because of the way Linux is designed to support older hardware.
“The bottom line is that this is still a real problem area for the Linux kernel because of the tension between compatibility and security,” he wrote.
“Administrators and operators need to understand the risks, their defensive options, and how to apply those options in order to effectively protect their systems.”
The company has provided information in its advisory on how to identify whether a given distribution is vulnerable.
However, patches became available in the mainline Linux kernel earlier this month, and systems using those updated kernels are not susceptible to these attacks.