Security News > 2021 > November > Critical Linux Kernel Bug Allows Remote Takeover
According to SentinelOne's SentinelLabs, the bug in question specifically resides in a message type that allows nodes to send cryptographic keys to each other.
According to the researcher, that common header contains a "Header size" allocation, which is the actual header size shifted to the right by two bits; and a "Message size" allocation that is equal to the length of the entire TIPC message.
"The message size is correctly validated as greater than the header size, the payload size is validated against the maximum user message size, and the message size is validated against the actual received packet length," Van Amerongen said - so far, so good.
The size allocation for this is the message size itself, minus the header size.
"There are no checks for either the [key length] or the size of the key algorithm name itself against the message size," the researcher explained.
The message-validation function only checks that the message size in the header is within the bounds of the actual packet: "That means that an attacker could create a 20-byte packet and set the message size to 10 bytes without failing the check," Van Amerongen added.
News URL
https://threatpost.com/critical-linux-kernel-bug/176000/
Related news
- Kali Linux 2024.1 released: New tools, new look, new Kali Nethunter kernels (source)
- Critical JetBrains TeamCity On-Premises Flaws Could Lead to Server Takeovers (source)
- Easy-to-use make-me-root exploit lands for recent Linux kernels. Get patching (source)
- Researchers Uncover First Native Spectre v2 Exploit Against Linux Kernel (source)
- Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware (source)