Appgate detailed a newly disclosed and newly patched Linux kernel bug Tuesday that could cause local and remote code execution, and denial of service.
The bug is a stack overflow in the Transparent Inter-Process Communication (TIPC) service, the cluster domain socket service in Linux. Different nodes in TIPC communicate using messages and, while TIPC was designed to check to see if a minimum message length is met, it did not check if a maximum message length was met. Exceeding the maximum causes the overflow.
“The vulnerability has been present since the TIPC monitoring framework was introduced in June 2016, impacting versions 4.8 through to 5.17-rc3. A patch has been released; updating systems to include that patch is the best way to mitigate the vulnerability. In the meantime, if you’re not using TIPC, you can blacklist the module to reduce your attack surface,” said Samuel Page, senior exploit developer for Appgate Threat Advisory Services, in a statement. Page discovered the vulnerability.
“If you need to use TIPC and can’t immediately patch your system, look to enforce configurations that prevent or limit the ability for attackers to imitate nodes in your cluster. Options include TIPC protocol level encryption, IPSec/MACSec and network separation,” he continued.
In the blog post, Page explained that he found the new TIPC vulnerability exploring an old one, as he played around with CVE-2021-43267. CVE-2021-43267 was discovered by SentinelLabs and published in November.
The new vulnerability was reported last month. In the process of patching, Page wrote in his blog post, “another issue regarding [an] overflow was spotted by Eric Dumazet, a fix for which is also included in the final patch by Jon Maloy.”
The vulnerability was disclosed on Jan. 27 with a patch first available on Feb. 5.