Researchers at cybersecurity company GRIMM recently published an interesting trio of bugs they found in the Linux kernel…
…in code that had been sitting there inconspicuously for some 15 years.
Fortunately, it seemed that no one else had looked at the code for all that time, at least not diligently enough to spot the bugs, so they’re now patched and the three CVEs they found are now fixed:
- CVE-2021-27365. Exploitable heap buffer overflow due to the use of
sprintf(). - CVE-2021-27363. Kernel address leak due to pointer used as unique ID.
- CVE-2021-27364. Buffer overread leading to data leakage or denial of service (kernel panic).
The bugs were found in the kernel code that implements iSCSI, a component that implements the venerable SCSI data interface over the network, so you can talk to SCSI devices such as tape and disk drives that aren’t connected directly to your own computer.
Of course, if you don’t use SCSI or iSCSI anywhere in your network any more, you’re probably shrugging right now and thinking, “No worries for me, I don’t have any of the iSCSI kernel drivers loaded because I’m simply not using them.”
After all, buggy kernel code can’t be exploited if it’s just sitting around on disk – it has to get loaded into memory and actively used before it can cause any trouble.
Except, of course, that most (or at least many) Linux systems not only come with hundreds or even thousands of kernel modules in the /lib/modules directory tree, ready to use in case they are ever needed, but also come configured to allow suitably authorised apps to trigger the automatic loading of modules on demand.
Serious Security: The Linux kernel bugs that surfaced after 15 years
