Posted on 07/25/2021 6:28:16 AM PDT by ShadowAce
A pair of vulnerabilities in the Linux kernel disclosed this week expose major Linux operating systems that could let a hacker either gain root privileges on a compromised host or shut down the entire OS altogether.
The two flaws – CVE-2021-33909 and CVE-2021-33910, respectively – were disclosed by vulnerability management vendor Qualys in a pair of blogs that outlined the threat to Linux OSes from such companies Red Hat, Ubuntu, Debian and Fedora.
The vulnerabilities came the same week that a flaw in Microsoft’s Windows 10 OS – one that impacts the Security Account Manager feature and was dubbed “SeriousSAM” – came to light and one that also could enable an attacker to bypass security restrictions in the OS and gain access to data on a compromised system (see Microsoft Security Under Scrutiny After Recent Incidents).
In both cases, the vulnerabilities in the Linux and Windows operating systems were discovered by security researchers rather than bad actors and patches or workarounds were recommended for all of them. However, they again highlighted flaws that can be found buried in the OSes and could lead to major headaches if exploited by bad actors.
In the case of the Linux vulnerabilities, Qualys security researchers recommended that users of various Linux distributions apply patches.
Further reading: Top Vulnerability Management Tools for 2021
In an advisory, Red Hat officials acknowledged the flaw that could allow attackers to crash a compromised system and said that any product that is based on the Red Hat Enterprise Linux kernel – including OpenShift Container Platform, OpenStack and Red Hat Virtualization – could be impacted.
“This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information,” the IBM-owned company wrote. “The issue results from not validating the size t-to-int conversion prior to performing operations. The highest threat from this vulnerability is to data integrity, confidentiality and system availability.”
Other top Linux distributors, including Debian, Ubuntu and SUSE, also confirmed the CVE-2021-33909 vulnerability.
Shawn Smith, director of infrastructure at application security vendor nVisium, told eSecurity Planet that while the vulnerabilities are serious, the silver lining is that both require an attacker to be a local authorized user.
“On its own, it’s not going to give a remote attacker access to anything, but if combined with other attacks, it’s possible an attacker could leverage a user account from somewhere else and pivot into this to get root access,” Smith said. “Linux security is a fairly broad topic since there are so many different forks that fall under the Linux ecosystem, but generally it’s a pretty secure system. Because it is open source, anyone can perform code audits and many issues are caught before they are merged into main, but occasionally bugs like this do slip through and can go unnoticed for months or even years.”
The issue Red Hat referred to deals with a size t-to-int type conversion vulnerability in the kernel’s filesystem layer, according to Qualys. By exploiting the vulnerability in a default configuration, an attacker could gain root privileges on a vulnerable host.
The file system includes data and metadata on a storage device, controlling how data is stored and retrieved and managing user data.
“The Linux file system interface is implemented as a layered architecture, separating the user interface layer from the file system implementation and from the drivers that manipulate the storage devices,” Bharat Jogi, senior manager of vulnerabilities and signatures for Qualys, wrote in a blog post. “It is the most important function of any operating system and is ubiquitous on all major Linux operating systems.”
Jogi wrote that Qualys was able to develop an exploit and get full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11 and Fedora 34 Workstation, adding that “other Linux distributions are likely vulnerable and probably exploitable.”
The other issue was a stack exhaustion denial-of-service vulnerability in systemd (PID 1), a utility in major Linux distributions that an attacker could exploit to crash systemd and, thus, the entire operating system. Systemd includes a range of components for Linux OSes, according to Jogi. The vulnerability was introduced in systemd v220 in April 2015.
Dirk Schrader, global vice president of security research at change management software provider New Net Technologies, told eSecurity Planet that while the vulnerabilities likely won’t be part of malware campaigns, they have a “severe potential when used in a coordinated and targeted attack scenario. Both seem to need a user account already existing on a targeted device, which seems a surmountable barrier with all the credentials leaked in the recent past – here is how big data can be used in cyber-crime.”
Companies shouldn’t shrug off these vulnerabilities.
“The reason why companies should be concerned is that Linux devices are usually in the server world of the infrastructure, with systems being crucial to the operations of a company,” Schrader said. “Organizations will not want to see their operations being disrupted (CVE-2021-33910) or being taken over and controlled by an attacker (CVE-2021-33909) with the ability to do anything.”
According to Joseph Carson, chief security scientist and advisory chief information security officer (CISO) at cloud identity solutions maker ThycoticCentrify, companies need to take the threat seriously, but noted that such vulnerabilities are noisy, making them easy to detect if an attacker tries to exploit them. That said, enterprises would be smart to reduce the risks by ensuring impacted systems are not publicly facing the internet or that they’re protected by using such solutions as privileged access management (PAM).
“Like any operating system, security significantly depends entirely on how you use it, configure or manage the operating system,” Carson told eSecurity Planet. “Each new Linux update tries to improve security; however to get the value you must enable and configure it correctly. The state of Linux security today is quite good and has evolved in a positive way, with more visibility and security features built in, though like many operating systems you must install, configure and manage it with security in mind, as how cybercriminals take advantage is the human touch.”
..while the vulnerabilities are serious, the silver lining is that both require an attacker to be a local authorized user.
“On its own, it’s not going to give a remote attacker access to anything, but if combined with other attacks, it’s possible an attacker could leverage a user account from somewhere else and pivot into this to get root access,” Smith said.
—
that’s a bit of a stretch involving vigorous hand waving. An attack causing a memory exception which crashes the system is bad, but it does not correlate to getting root access.
It always amuses me that this is so common but Microsoft takes a heaping truckload of shit when they disclose a similar vulnerability.
For many, for primary comm’s with others, for store cash registers and gas pumps, and now for working from home, a PC can be much like a horse was 150 years ago — crucial in a person’s life.
Hackers need hanging from the neck until dead.
...while the vulnerabilities are serious, the silver lining is that both require an attacker to be a local authorized user.
No need for alarm for most people.
Two common uses of the Linux operating system are in WiFi access points and firewall appliances (I'm looking at YOU, Protectli and pfSense). As long as the Linux kernel is sufficiently robust enough to deny remote penetrations past a competently-configured firewall, computer users — including Microsoft OS users — are safe from penetration-based attacks.
To that end, I am designing a firewall for a fanless computing appliance that builds on more than 20 years of success in IPv4, and also provides the same protection of IPv6. Different realms that have different methods. For IPv6, instead of trying to use NAT, it protects a subnet of the IPv6 address space assigned to the site. Inside computers can "call out" and get responses, but outside entities can't "call in".
This scheme protects any computer or internet-capable device that asks for an IPv6 address using DHCP6, because most DHCP6 servers will allocate addresses from the low end of the pool. If a device wants a "public" address, and has been properly protected, the sysadmin can give that computer an unprotected address. (Or partially protected: the firewall will block a lot of Bad Stuff™.)
Two things...
These are no where near as common in Linux as they are in MS. They are spotted quicker and dealt with quicker. And almost every one of them has required local access to be a threat.
In comparison MS is full of holes because of complete incompetent design and lack of concern. Many have even been delivered by MS themselves. MS requires third party tools to be anywhere close to actually secure, Linux does not.
So to say they are the same as equally vulnerable is just not fact.
Microsoft is an actively anti-conservative Big Tech company, so those who already dislike Big Tech organizations and conservatives in particular who are tired of being targeted for destruction by Microsoft and others - are already in a howling mood. A vulnerability is just icing on the cake for more howling.
Linux firms are generally what you would call Little Tech and don't single out conservatives for harm. Many times there aren't even any Linux firms at all, just large groups of dedicated software developers trying to create something that(among other things) won't spy on your every move; because, these developers don't want to be spied on themselves and have the power to be not-spied-on with their own creation.(vulnerabilities aside, of course)
Your first sentence is a bit bewildering. I’ve been in IT security for 10 years. Do you think that vulnerabilities are all uncovered by accident in the wild?
Nothing for me to worry about then.
Get on it right away. I tried to grow corn once but while the kernel was able to gain full root privileges this was a vulnerable host and a virus became a growing threat within the ecosystem, and which later enabled infiltration by attackers going by the handle of "raccoon."
Lol, great stuff... :)
It always amuses me that this is so common but Microsoft takes a heaping truckload of shit when they disclose a similar vulnerability.
You must be easily amused.
Microsoft never discloses a flaw until they have a (presumed) fix. As soon as a flaw is identified, it "goes black" and M$ publicly pretends it doesn't exist until they have a patch.
In the meanwhile, their clients are left to twist in the wind.
Linux's philosophy is the exact opposite. Like the old Chinese proverb, many hands make light work. Spreading the word enables more people to address the problem.
Since Linux is open-source it's possible for developers all over the world to work on the problem simultaneously. But M$ could never implement a similar plan because they would never abandon closed-source code.
Unequivocally false. If you have proof of this, I highly suggest you submit it to MITRE. The fact that you use dollar signs in your attempts to be cute tells me that you're not to be taken seriously. Microsoft's been in the upper-right Gartner quadrant for security for years, beating out Google, Amazon, and others.
My first sentence is not bewildering, you’ve misidentified the vacuum. The vacuum isn’t “uncovered by accident(or even with intent) in the wild” versus “uncovered in a Microsoft lab”. The vacuum is this: Anti-conservative versus not anti-conservative. Microsoft is a known actor in the anti-conservative field.
I think you’re going out of your way to refuse to admit to yourself that Microsoft is a prime example of the evils of Big Tech in general and the anti-conservative nature of Big Tech in particular. Once you can admit to yourself that Microsoft really doesn’t like people who hold our points of view and actively works against those of us, then you’ll have a much easier go of understanding your original quandary.
The worst part of it is they take our money and then they weaponize it against us. That’s the worst outrage of all of it.
Have you looked at DD-WRT?
Besides, I like doing this sort of thing.
Cool. i think most of that capability that you mentioned was available in DD-WRT. Personally I use about 5% of the capabilities. I work with some guys who are serious network geeks who can make it do some amazing things using VLANS and routing rules.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.