Two vulnerabilities in the Linux kernel announced this week reveal critical Linux operating systems that could allow a hacker to gain root privileges on a compromised host or to shut down the entire operating system completely.
The two vulnerabilities – CVE-2021-33909 and CVE-2021-33910 – were uncovered by the vulnerability management provider Qualys in two blogs that highlighted the threats to Linux operating systems from the companies Red Hat, Ubuntu, Debian and Fedora.
The vulnerabilities came the same week that a bug in Microsoft’s Windows 10 operating system – one that affects the Security Account Manager function and is known as “SeriousSAM” – was discovered that could allow an attacker to do so How to circumvent security restrictions in the operating system and gain profit from accessing data on a compromised system (see Microsoft Security under Control after Recent Incidents).
In both cases, the vulnerabilities in the Linux and Windows operating systems were discovered more by security researchers than by bad guys, and patches or workarounds were recommended for all of them. However, they again highlighted vulnerabilities that are hidden in the operating systems and that could lead to major headaches if exploited by bad actors.
In the case of Linux vulnerabilities, Qualys security researchers recommended that users of various Linux distributions install patches.
Further reading: Top Tools for Vulnerability Management for 2021
Red Hat, others acknowledge mistakes
In an advisory, Red Hat officials admitted the bug that could allow attackers to crash a compromised system, saying that any product based on the Red Hat Enterprise Linux kernel – including OpenShift Container Platform, OpenStack and Red Hat Virtualization – could be affected.
“This flaw would allow a local attacker with user rights to gain access to the out-of-bound storage, resulting in a system crash or loss of internal kernel information,” wrote the IBM-owned company. “The problem arises from the fact that the Size T to Int conversion was not validated prior to performing operations. The main threats posed by this vulnerability are data integrity, confidentiality, and system availability. “
Other top Linux distributors, including Debian, Ubuntu, and SUSE, have also confirmed the CVE-2021-33909 vulnerability.
A silver lining
Shawn Smith, director of infrastructure at application security provider nVisium, said eSecurity Planet that while the vulnerabilities are severe, the silver lining is that an attacker would have to be a local authorized user.
“Alone it won’t give a remote attacker access to everything, but when combined with other attacks, it is possible that an attacker could use a user account from another location and latch into it to gain root access,” said Smith. “Linux security is a pretty broad topic because there are so many different forks that fall under the Linux ecosystem, but in general it’s a pretty safe system. Since it is open source, anyone can do code audits and many problems are identified before they are merged into Main, but occasionally bugs like this do occur and can go unnoticed for months or even years. “
Find Linux vulnerabilities
According to Qualys, the issue Red Hat is referring to is a type conversion vulnerability of size t-to-int in the kernel’s filesystem layer. By exploiting the vulnerability in a default configuration, an attacker could gain root privileges on a vulnerable host.
The file system contains data and metadata on a storage device, controls how data is stored and retrieved, and manages user data.
“The Linux file system interface is implemented as a layered architecture that separates the user interface layer from the file system implementation and from the drivers that manipulate the storage devices,” wrote Bharat Jogi, senior manager for vulnerabilities and signatures at Qualys, in a blog post. “It is the most important function of any operating system and ubiquitous on all common Linux operating systems.”
Jogi wrote that Qualys was able to develop an exploit and obtain full root privileges on standard installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11 and Fedora 34 workstation, adding that “Other Linux distributions are likely to be vulnerable and likely to be exploitable ”.
The other problem was a stack exhaustion denial-of-service vulnerability in systemd (PID 1), a utility in large Linux distributions that an attacker could use to crash systemd and thus the entire operating system. According to Jogi, systemd contains a number of components for Linux operating systems. The vulnerability was introduced in systemd v220 in April 2015.
Dirk Schrader, global vice president of security research at change management software provider New Net Technologies, said eSecurity Planet that while the vulnerabilities are unlikely to be part of malware campaigns, they “have serious potential when used in a coordinated and targeted attack scenario. Both seem to require a user account that already exists on a target device, which with all the credentials leaked in the recent past seems like a surmountable barrier – this is how big data can be used in cybercrime. “
Organizations shouldn’t ignore these vulnerabilities.
“The reason businesses should be concerned is that Linux devices are typically in the server world of infrastructure, with systems being critical to running a business,” said Schrader. “Organizations will not want their operations to be disrupted (CVE-2021-33910) or to be taken over and controlled by an attacker (CVE-2021-33909) with the ability to do anything.”
“Loud” security holes
According to Joseph Carson, Chief Security Scientist and Advisory Chief Information Security Officer (CISO) at ThycoticCentrify, a manufacturer of cloud identity solutions, companies must take seriously the threat they are exploiting. However, companies would be smart to reduce the risks by ensuring that affected systems are not publicly connected to the Internet or that they are protected by using solutions such as Privileged Access Management (PAM).
“As with any operating system, security largely depends on how you use, configure, or manage it,” said Carson eSecurity Planet. “Every new Linux update tries to improve security; However, to get the value, you need to enable it and configure it correctly. The state of Linux security today is quite good and has grown positively, with more transparency and built-in security features, although like many operating systems you need to install, configure, and manage them with security in mind because cyber criminals take advantage of the human touch. “