Critical RCE Vulnerability Discovered in the Linux Kernel’s TIPC Module

November 4, 2021

Cybersecurity experts have uncovered a significant security vulnerability in the Transparent Inter-Process Communication (TIPC) module of the Linux Kernel. This flaw could potentially allow both local and remote attackers to execute arbitrary code within the kernel, giving them control over affected systems. Assigned CVE-2021-43267 and rated with a CVSS score of 9.8, this heap overflow vulnerability “can be exploited locally or remotely within a network to gain kernel privileges, enabling attackers to compromise the entire system,” according to a report by cybersecurity firm SentinelOne shared with The Hacker News. TIPC is a transport layer protocol designed for seamless communication between nodes in dynamic cluster environments, offering improved efficiency and fault tolerance compared to traditional protocols like TCP. The vulnerability arises from inadequate validation of user-provided sizes for a new message type.

Significant RCE Vulnerability Discovered in Linux Kernel’s TIPC Module

On November 4, 2021, cybersecurity experts disclosed a critical security vulnerability within the Linux Kernel’s Transparent Inter Process Communication (TIPC) module. This flaw, designated as CVE-2021-43267, has been assigned a high common vulnerability scoring system (CVSS) score of 9.8, indicating severe risk. The vulnerability arises from a heap overflow issue that could be exploited both locally and remotely, granting attackers the potential to execute arbitrary code within the kernel and seize full control of affected systems.

The TIPC module serves as a transport layer protocol designed to facilitate efficient and fault-tolerant communication between nodes in dynamic cluster environments. Its robust framework is particularly effective in contexts where reliability is paramount, outperforming traditional protocols like TCP. However, the identified vulnerability stems from inadequate validation of user-defined sizes for a new message type introduced into the protocol, creating an avenue for exploitation.

According to a report from cybersecurity firm SentinelOne, attackers can exploit this flaw to gain elevated kernel privileges, posing a grave threat to the integrity of entire systems. The implications extend beyond individual machines, as successful exploitation could compromise broader network architectures, leading to massive security breaches and data loss for organizations reliant on TIPC for internal communications.

In terms of target demographics, this vulnerability primarily endangers enterprises utilizing the Linux operating system within their infrastructures. The potential for remote exploitation further amplifies the risk, as cybercriminals could exploit the vulnerability from anywhere within the network, underscoring the urgent need for immediate patching and mitigation strategies.

From a cybersecurity perspective, this incident highlights relevant tactics and techniques from the MITRE ATT&CK framework. Notably, the vulnerability may facilitate initial access as well as privilege escalation, allowing malicious actors to extend their control from a local exploit to potentially infiltrating and compromising entire systems. This progression reinforces the significance of proactive security measures, as timely vulnerability assessments and system updates are critical in protecting against such exploits.

Enterprises are advised to conduct thorough assessments of their Linux systems and ensure that patches addressing this vulnerability are applied without delay. This incident serves as a stark reminder of the evolving landscape of cyber threats, where even sophisticated protocols can harbor critical vulnerabilities if not properly secured. As the cybersecurity landscape continues to evolve, business owners must remain vigilant, adopting a proactive approach to manage risks associated with emerging vulnerabilities.

Source link

Related Posts

Critical Vulnerability in Cisco Policy Suite Exposes Hardcoded SSH Key, Allowing Remote Root Access

November 5, 2021

Cisco Systems has issued security updates to rectify vulnerabilities in several Cisco products that could enable attackers to log in as root users, gaining control over compromised systems. The vulnerability, identified as CVE-2021-40119, has been assigned a critical severity rating of 9.8 out of 10 on the CVSS scale and originates from flaws in the SSH authentication mechanism of Cisco Policy Suite. According to Cisco’s advisory, “An attacker could exploit this vulnerability by connecting to an affected device via SSH,” warning that a successful exploit could provide the attacker with root access. The issue was uncovered during internal security assessments. Future releases of Cisco Policy Suite (21.2.0 and beyond) will automatically generate new SSH keys upon installation, although devices upgrading from version 21.1.0 will still require a manual process to replace the default SSH keys.

Experts Uncover Malicious Code Exploiting Vulnerability in ManageEngine ADSelfService

On November 8, 2021, it was revealed that at least nine organizations in the technology, defense, healthcare, energy, and education sectors were compromised due to a recently patched critical vulnerability in Zoho’s ManageEngine ADSelfService Plus self-service password management and single sign-on (SSO) solution. This surveillance campaign, which began on September 22, 2021, saw attackers exploiting the flaw to gain initial access, subsequently moving laterally within the networks to conduct post-exploitation activities. They deployed malicious tools designed to harvest credentials and exfiltrate sensitive data through a backdoor. “The attackers relied heavily on the Godzilla web shell, uploading various versions of this open-source tool to the compromised servers throughout the operation,” reported researchers from Palo Alto Networks’ Unit 42 threat intelligence team. “Several other tools exhibited unique characteristics or functionalities…”

Unresolved Unauthorized File Read Vulnerability Impacts Microsoft Windows OS

On November 30, 2021, it was reported that unofficial patches have been released to address a poorly patched Windows security flaw which poses risks for information disclosure and local privilege escalation (LPE) on affected systems. Identified as CVE-2021-24084 (CVSS score: 5.5), this vulnerability is linked to the Windows Mobile Device Management component, potentially allowing attackers to gain unauthorized access to the file system and read arbitrary files. Security researcher Abdelhamid Naceri discovered and reported the issue in October 2020, leading Microsoft to include it in their February 2021 Patch Tuesday updates. However, as noted by Naceri in June 2021, the patch can be bypassed, and it has also been found that the inadequately addressed vulnerability enables attackers to gain administrator privileges and execute malicious code on Windows 10 systems.

Serious Security Vulnerability Discovered in Multiple HP Printer Models

On November 30, 2021, cybersecurity experts revealed significant security weaknesses affecting 150 different multifunction printers from HP Inc. These flaws, which have been present for eight years, can be exploited by attackers to gain control of vulnerable devices, steal sensitive information, and infiltrate enterprise networks to execute further attacks.

The two vulnerabilities, termed Printing Shellz, were uncovered by F-Secure Labs researchers Timo Hirvonen and Alexander Bolshev and reported to HP on April 29, 2021. As a result, HP released patches earlier this month addressing the issues:

  • CVE-2021-39237 (CVSS Score: 7.1): An information disclosure vulnerability affecting specific HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers.

  • CVE-2021-39238 (CVSS Score: 9.3): A buffer overflow vulnerability impacting certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise PageWide, and HP PageWide Managed products.

Further details on the vulnerabilities are currently under review.