Cybersecurity Threat Advisory: Root Access by Way of Linux Kernel Bug

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

This week there is a new critical alert that requires the mission-critical community’s immediate attention.

Advisory overview

Qualys’s research team discovered a pair of vulnerabilities in the Linux operating system (OS). While one is a local privilege escalation (LPE) vulnerability, the other is a stack-exhaustion, denial-of-service (DOS) vulnerability in the system. Both can be exploited by an unauthorized user. Both vulnerabilities affect an integral part of the Linux operating system, which increases the need for remediation. A patch has been released for both vulnerabilities and should be immediately applied.

What is the threat?

As previously stated, the LPE and the stack-exhaustion vulnerability can be exploited by an unauthorized user. The LPE vulnerability located in Linux’s file system layer affects a multitude of Linux distributions, e.g., Ubuntu 21.04, Debian 11, and more. Researchers successfully exploited the vulnerability to obtain full root privileges on a default installation by way of an integer overflow. The integer overflow is caused by a size_t to int type conversion — “int” stands for “integer” — which creates a variable type too small to hold. The LPE vulnerability, if exploited, enables cyberattackers to gain root privileges in default configurations of the filesystem layer. On the other hand, the stack-exhaustion vulnerability affects systemd, in that once the mountpoint exceeds about 8 megabytes (MB), the system crashes and denial of service ensues.

Why is it noteworthy?

Without prompt remediation, these vulnerabilities can wreak havoc on one’s system. The LPE vulnerability affects the filesystem layer of Linux, which is where Linux typically operates utilizing the filesystem for “user” or “ls” command, user data, etc. Therefore, this vulnerability does not affect only the default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation, but also other Linux distributions. These other distributions also are vulnerable and most likely exploitable. The stack-exhaustion DOS vulnerability affects systemd, a software suite in most Linux-based operating systems that provides a system and service manager that runs as PID 1 and starts the rest of the system, according to Qualys. Both systemd and the filesystem layer play a vital role in the Linux OS, and remediations should be taken seriously.

What is the risk?

When an LPE is exploited, the threat actor has gained root access to the system, which enables them to alter and delete data, as well as install malware on the system. As for the stack-exhaustion DOS vulnerability, the attack is meant to crash the OS, causing a kernel panic. This can be used to distract the users from realizing that another attack might be in progress.

What are the recommendations?

• Update and patch Linux operating systems immediately.
• Always change the default credentials and use a strong password.
• Run quarterly scans on your device to ensure that no malicious activity exists, as well for vulnerabilities.

References

For more in-depth information about the recommendations, please visit the following links:

• https://www.bleepingcomputer.com/news/security/new-linux-kernel-bug-lets-you-get-root-on-most-modern-distros/
• https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
• https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/cve-2021-33910-denial-of-service-stack-exhaustion-in-systemd-pid-1