Nasty Linux Kernel Stack Overflow Flaw Found and Patched
Here we go again. Another obnoxious security bug, CVE-2022-0435: A Remote Stack Overflow in The Linux Kernel was found by Appgate senior exploit developer Samuel Page while he was poking around at a Linux heap overflow security bug, CVE-2021-43267 from November 2021. Page’s discovery is a remotely and locally reachable stack overflow in the Linux kernel’s Transparent Inter-Process Communication (TIPC) protocol networking module.
TIPC, as the name says, is used for intracluster communications. Cluster topology is managed using the concept of nodes and links between these nodes. Messages sent using TIPC can be sent over either UDP or Ethernet. So far, so good.
But, in June 2016 the TIPC module was given its own monitoring framework.
With this feature, nodes could monitor the cluster’s network topology and share its view with other nodes in the same domain. Unfortunately, its sanity checks weren’t good enough. The researchers discovered it was possible to pretend to be a peer node. That done, a link could be established with the target locally or remotely, and a malicious domain record containing an arbitrary payload loaded. You can see where this is leading.
Yes, sure enough, as Page wrote, “Exploitation is trivial and can lead to denial of service via kernel panic.” I don’t know about you. I could live without another Linux kernel-level denial of service attack.
The vulnerability is present in the Linux kernel from versions 4.8 through 5.17-rc3. However, although the TPIC module is in most major distributions, it must be loaded in order to be exploited. “Furthermore,” Page wrote, “for remote exploitation, the target would need to have a TIPC bearer set up already i.e. — the vulnerability extends to systems using TIPC.”
Could Have Been Worse
In other words, this could have been worse.
Still, Red Hat gives this TIPC security hole a Common Vulnerability Scoring System (CVSS) rating of 7.1, which is more than high enough to catch my attention.
While a TIPC patch is available now and available from most major Linux distributions, Red Hat also has other warnings I think you should take seriously.
First, if you’re not using TIPC but you’re loading into your Linux instances anyway: Stop. You can prevent the module can be loaded with the simple root command:
# echo "install tipc /bin/true" >> /etc/modprobe.d/disable-tipc.conf
If the TIPC module has already been loaded, you’ll need to reboot the system. That’s because you can’t unload TIPC so long as any network interfaces are active and the protocol is in use.
In addition, Red Hat recommends you use the transport level to separate and/or secure (by both encrypting and authenticating via eg. IPSec/MACSec) the communication between nodes. Encrypting this traffic is always a good idea. You never know who might be peeking at your traffic to semi-trusted nodes.
So, on that note, I urge you to patch your systems and think about other ways to secure your internal networking. The patch will stop this problem, but there’s always a new attack waiting in the wings for you.