Experts from the GRIMM organization found vulnerabilities in the iSCSI subsystem of the Linux kernel that could allow local attackers with basic user privileges to escalate their privileges to superuser. Vulnerabilities can only be exploited locally, which means that an attacker first has to gain access to vulnerable device by exploiting another vulnerability or using an alternative attack vector to carry out a cyberattack.

Despite the fact that vulnerabilities were discovered just now, they appeared during the initial development stages of the iSCSI in 2006. The issues affect all Linux distributions, but luckily, the vulnerable scsi_transport_iscsi kernel module is not loaded by default. However, the module can be loaded and exploited for privilege escalation.

As security researcher Adam Nichols explained, the Linux kernel loads modules either because it detects new hardware or because a kernel function detects that a module is missing. On CentOS 8, RHEL 8, and Fedora, unprivileged users can automatically load the required modules if the rdma-core package is installed. On Debian and Ubuntu, the rdma-core package will only automatically load the two required kernel modules if the RDMA hardware is available. As such, exploitation of the vulnerability is limited on these systems.

Vulnerabilities:

• CVE-2021-27365: buffer overflow (local privilege escalation, data disclosure, and denial of service);

• CVE-2021-27363: kernel pointer leak (data disclosure);

• CVE-2021-27364: out-of-bounds read (data disclosure and denial of service).

All three vulnerabilities are patched in 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260 and 4.4.260 versions. No patches will be released for EOL unsupported kernels versions like 3.x and 2.6.23.

Source: securitylab.ru