Seven Years Old Linux Kernel Vulnerability Let Attackers Execute Remote Code
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Researchers have uncovered a critical flaw in the Linux kernel that could allow attackers to execute remote code.
The vulnerability, which had been inactive for seven years, was uncovered while conducting routine research on the Linux kernel’s TCP subsystem.
This bug, now identified as CVE-2024-36904, highlights the persistent risks in widely used open-source software.
Discovery of the Vulnerability
Allele Security researchers identified the vulnerability during an audit of the Linux kernel source code and through monitoring tools like the syzkaller fuzzer.
It was found in the TCP subsystem and stems from a use-after-free error caused by a race condition between tcp_twsk_unique() and inet_twsk_hashdance().
This issue tracked as CVE-2024-36904, arises when a time-wait TCP socket’s reference counter is initialized after being inserted into a hash table and releasing its lock.
If a lookup occurs before this initialization, it results in a zeroed reference counter, leading to memory mismanagement.
Vulnerability triggered
The vulnerability occurs due to improper handling of reference counters in the kernel’s TCP subsystem. Specifically, a time-wait socket object is added to a hash table before its reference counter is fully initialized.
Concurrent lookups via __inet_check_established() locate the object and call twsk_unique(), which triggers sock_hold().
If sock_hold() finds an uninitialized reference counter, it taints it to 0xc0000000. However, inet_twsk_hashdance() later overwrites this value with 3, causing an imbalance.
This causes the object to be released too soon, creating a use-after-free situation. Such vulnerabilities are particularly dangerous as they can lead to arbitrary code execution within the kernel, potentially compromising entire systems.
Proof of Concept
To confirm exploitability, Allele Security researchers modified the kernel to introduce delays at key points in the execution flow.
This allowed them to reliably reproduce the issue and generate detailed reports using Kernel Address Sanitizer (KASAN). By introducing intentional delays in kernel operations (mdelay()), researchers reliably reproduced the bug in controlled environments.
They also modified kernel configurations to bypass the limitations of KASAN on caches with the SLAB_TYPESAFE_BY_RCU flag.
The exploitability of this vulnerability remains complex due to its reliance on precise timing and specific execution flows. However, given sufficient resources and expertise, attackers could weaponize it for targeted attacks.
Despite being patched upstream, this flaw persists in some widely used Linux distributions due to delays in integrating upstream fixes.
For instance, researchers confirmed its presence in Red Hat Enterprise Linux derivatives running older kernels.
This highlights a broader issue: many popular distributions lag behind upstream patches, leaving users vulnerable even after fixes are available.
Users should update their systems to include kernel versions patched after May 2024. Further, developers are encouraged to adopt tools like syzkaller and KASAN for early detection of similar issues.
#Cyber_Security #Cyber_Security_News #Linux #Vulnerability
Оригинальная версия на сайте:
Seven Years Old Linux Kernel Vulnerability Let Attackers Execute Remote Code
Author: Guru BaranResearchers have uncovered a critical flaw in the Linux kernel that could allow attackers to execute remote code.
The vulnerability, which had been inactive for seven years, was uncovered while conducting routine research on the Linux kernel’s TCP subsystem.
This bug, now identified as CVE-2024-36904, highlights the persistent risks in widely used open-source software.
Discovery of the Vulnerability
Allele Security researchers identified the vulnerability during an audit of the Linux kernel source code and through monitoring tools like the syzkaller fuzzer.
It was found in the TCP subsystem and stems from a use-after-free error caused by a race condition between tcp_twsk_unique() and inet_twsk_hashdance().
This issue tracked as CVE-2024-36904, arises when a time-wait TCP socket’s reference counter is initialized after being inserted into a hash table and releasing its lock.
If a lookup occurs before this initialization, it results in a zeroed reference counter, leading to memory mismanagement.
Vulnerability triggeredThe vulnerability occurs due to improper handling of reference counters in the kernel’s TCP subsystem. Specifically, a time-wait socket object is added to a hash table before its reference counter is fully initialized.
Concurrent lookups via __inet_check_established() locate the object and call twsk_unique(), which triggers sock_hold().
If sock_hold() finds an uninitialized reference counter, it taints it to 0xc0000000. However, inet_twsk_hashdance() later overwrites this value with 3, causing an imbalance.
This causes the object to be released too soon, creating a use-after-free situation. Such vulnerabilities are particularly dangerous as they can lead to arbitrary code execution within the kernel, potentially compromising entire systems.
Proof of Concept
To confirm exploitability, Allele Security researchers modified the kernel to introduce delays at key points in the execution flow.
This allowed them to reliably reproduce the issue and generate detailed reports using Kernel Address Sanitizer (KASAN). By introducing intentional delays in kernel operations (mdelay()), researchers reliably reproduced the bug in controlled environments.
They also modified kernel configurations to bypass the limitations of KASAN on caches with the SLAB_TYPESAFE_BY_RCU flag.
The exploitability of this vulnerability remains complex due to its reliance on precise timing and specific execution flows. However, given sufficient resources and expertise, attackers could weaponize it for targeted attacks.
Despite being patched upstream, this flaw persists in some widely used Linux distributions due to delays in integrating upstream fixes.
For instance, researchers confirmed its presence in Red Hat Enterprise Linux derivatives running older kernels.
This highlights a broader issue: many popular distributions lag behind upstream patches, leaving users vulnerable even after fixes are available.
Users should update their systems to include kernel versions patched after May 2024. Further, developers are encouraged to adopt tools like syzkaller and KASAN for early detection of similar issues.
#Cyber_Security #Cyber_Security_News #Linux #Vulnerability
Оригинальная версия на сайте:
