A pair of vulnerabilities in the Linux kernel disclosed this week expose major Linux operating systems that could let a hacker either gain root privileges on a compromised host or shut down the entire OS altogether.
The two flaws – CVE-2021-33909 and CVE-2021-33910, respectively – were disclosed by vulnerability management vendor Qualys in a pair of blogs that outlined the threat to Linux OSes from such companies Red Hat, Ubuntu, Debian and Fedora.
The vulnerabilities came the same week that a flaw in Microsoft’s Windows 10 OS – one that impacts the Security Account Manager feature and was dubbed “SeriousSAM” – came to light and one that also could enable an attacker to bypass security restrictions in the OS and gain access to data on a compromised system (see Microsoft Security Under Scrutiny After Recent Incidents).
In both cases, the vulnerabilities in the Linux and Windows operating systems were discovered by security researchers rather than bad actors and patches or workarounds were recommended for all of them. However, they again highlighted flaws that can be found buried in the OSes and could lead to major headaches if exploited by bad actors.
In the case of the Linux vulnerabilities, Qualys security researchers recommended that users of various Linux distributions apply patches.
Further reading: Top Vulnerability Management Tools for 2021
Red Hat, Others Confirm Flaws
In an advisory, Red Hat officials acknowledged the flaw that could allow attackers to crash a compromised system and said that any product that is based on the Red Hat Enterprise Linux kernel – including OpenShift Container Platform, OpenStack and Red Hat Virtualization – could be impacted.
“This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information,” the IBM-owned company wrote. “The issue results from not validating the size t-to-int conversion prior to performing operations. The highest threat from this vulnerability is to data integrity, confidentiality and system availability.”
A Silver Lining
Shawn Smith, director of infrastructure at application security vendor nVisium, told eSecurity Planet that while the vulnerabilities are serious, the silver lining is that both require an attacker to be a local authorized user.
“On its own, it’s not going to give a remote attacker access to anything, but if combined with other attacks, it’s possible an attacker could leverage a user account from somewhere else and pivot into this to get root access,” Smith said. “Linux security is a fairly broad topic since there are so many different forks that fall under the Linux ecosystem, but generally it’s a pretty secure system. Because it is open source, anyone can perform code audits and many issues are caught before they are merged into main, but occasionally bugs like this do slip through and can go unnoticed for months or even years.”
Finding Linux Vulnerabilities
The issue Red Hat referred to deals with a size t-to-int type conversion vulnerability in the kernel’s filesystem layer, according to Qualys. By exploiting the vulnerability in a default configuration, an attacker could gain root privileges on a vulnerable host.
The file system includes data and metadata on a storage device, controlling how data is stored and retrieved and managing user data.
“The Linux file system interface is implemented as a layered architecture, separating the user interface layer from the file system implementation and from the drivers that manipulate the storage devices,” Bharat Jogi, senior manager of vulnerabilities and signatures for Qualys, wrote in a blog post. “It is the most important function of any operating system and is ubiquitous on all major Linux operating systems.”
Jogi wrote that Qualys was able to develop an exploit and get full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11 and Fedora 34 Workstation, adding that “other Linux distributions are likely vulnerable and probably exploitable.”
The other issue was a stack exhaustion denial-of-service vulnerability in systemd (PID 1), a utility in major Linux distributions that an attacker could exploit to crash systemd and, thus, the entire operating system. Systemd includes a range of components for Linux OSes, according to Jogi. The vulnerability was introduced in systemd v220 in April 2015.
Dirk Schrader, global vice president of security research at change management software provider New Net Technologies, told eSecurity Planet that while the vulnerabilities likely won’t be part of malware campaigns, they have a “severe potential when used in a coordinated and targeted attack scenario. Both seem to need a user account already existing on a targeted device, which seems a surmountable barrier with all the credentials leaked in the recent past – here is how big data can be used in cyber-crime.”
Companies shouldn’t shrug off these vulnerabilities.
“The reason why companies should be concerned is that Linux devices are usually in the server world of the infrastructure, with systems being crucial to the operations of a company,” Schrader said. “Organizations will not want to see their operations being disrupted (CVE-2021-33910) or being taken over and controlled by an attacker (CVE-2021-33909) with the ability to do anything.”
According to Joseph Carson, chief security scientist and advisory chief information security officer (CISO) at cloud identity solutions maker ThycoticCentrify, companies need to take the threat seriously, but noted that such vulnerabilities are noisy, making them easy to detect if an attacker tries to exploit them. That said, enterprises would be smart to reduce the risks by ensuring impacted systems are not publicly facing the internet or that they’re protected by using such solutions as privileged access management (PAM).
“Like any operating system, security significantly depends entirely on how you use it, configure or manage the operating system,” Carson told eSecurity Planet. “Each new Linux update tries to improve security; however to get the value you must enable and configure it correctly. The state of Linux security today is quite good and has evolved in a positive way, with more visibility and security features built in, though like many operating systems you must install, configure and manage it with security in mind, as how cybercriminals take advantage is the human touch.”