How To Fix CVE-2021-43267- A Heap Overflow Vulnerability In Linux Kernel’s TIPC Module

Security researchers from SentinelLabs have discovered a new heap overflow vulnerability in the Linux Kernel’s Transparent Inter Process Communication (TIPC) module. The vulnerability being tracked as CVE-2021-43267 can be exploited either locally or remotely within the network to execute arbitrary code within the kernel and compromise the entire machine. Let’s know more about the Transparent Inter Process Communication (TIPC) module in Linux and see how to fix CVE-2021-43267, A heap overflow vulnerability in Linux Kernel’s TIPC Module.

What Is Transparent Inter-process Communication?

In short, TIPC is an Inter-process communication (IPC) service in Linux that operates between nodes across the cluster. If you want to learn in detail about the TIPC, you can visit its official TIPC page.

TIPM protocol is part of all major Linux distribution kernel modules. When a user loads a TIPC module, the kernel uses the TIPC as a socket and configures it on a network interface to work in a low-privileged mode on top of ethernet protocol. Host communicate with each other by exchanging the TIPC messages between their kernels. 

The TIPC protocol operates in a way transparent to the user. Each TIPC packet is composed of a header and a payload. Each header will have two variables: Header Size and Message Size. Header Size denotes the size of the header, whereas Message Size denotes the total size of the packet.

TIPC protocol has a function ‘tipc_msg_validate‘ to validate the Header and Message Size. This function performs three validations: 1. Message Size is greater than Header Size, 2. The TIPC packet payload size is validated against the maximum user message size, and 3. The Message Size is validated against the actual received packet length.

Overview of CVE-2021-43267- A Heap Overflow Vulnerability

The vulnerability begins with the introduction of a new user message, ‘MSG_CRYPTO,’ which allows peers to send cryptographic keys. When the MSG_CRYPTO message is received, the TIPC kernel module should copy this information (the name of the key algorithm along with the key) into the storage for that node. 

The most important part of this vulnerability is lice in the Header Size calculation. As mentioned above, both Header Size and Message Size are validated against the actual packet size. Total Message Size should not exceed the range of the actual packet. The problem is, that there are no checks implemented to calculate the size of the MSG_CRYPTO message against the total Message Size. This improper validation allows an attacker to create a packet with a small body size to allocate heap memory. For instance, an attacker can create a 20-byte packet and set the message size to 10 bytes without failing the check. Please check the detailed technical analysis from the original report published by Sentinal Labs. 

This heap overflow vulnerability can be exploited either locally or remotely within the network to execute arbitrary code within the kernel and compromise the entire machine.

Summary Of CVE-2021-43267- A Heap Overflow Vulnerability

Description: The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.

Security-Database Scoring CVSS v3

Kernel Versions Affected with the Heap Overflow Vulnerability (CVE-2021-43267)

Since this Heap Overflow Vulnerability (CVE-2021-43267) affects only TIPC users, they should ensure that their Linux kernel version is not between 5.10-rc1 and 5.14.16. Ubuntu published an advisory on Nov 02, 2021; look at the advisory from here.

Vulnerable Kernel Versions:

between 5.10-rc1 and 5.14.16

Patched Kernel Version:

5.15

Not Affected Versions:

5.4.0-9.124.13.0-16.194.4.0-2.163.11.0-12.19

How To Fix CVE-2021-43267- A Heap Overflow Vulnerability In Linux Kernel’s TIPC Module?

This vulnerability has been patched in kernel v5.15 with two changes: 1. A validation function has been moved before the copy process takes place instead of after it, 2. A size overflow check has been added along with additional checks for the minimum packet size and the supplied key size. It is recommended to upgrade your kernel to v5.15 as soon as possible.

How To Upgrade Kernel On Your Linux?

There are multiple ways to update the kernel on Linux. The best and the native way is to download and install the tested kernel package. Please contact your support to choose the best way that works for you. Just for the demonstration, we are going to show you how to upgrade the kernel on Ubuntu or Debian servers in a native way.

kernel.ubuntu.com/~kernel-ppa/mainline/(opens in a new tab)

Note: Before you download and install it on your production server, we recommend testing this on a test machine. Don’t forget to take the full VM snapshot if are upgrading the kernel on a Virtual Image. Or, take the filesystem back up if you have a physical server.

Step 1. Check the kernel version

Before you start upgradation, check the version of the kernel your server has. What if the kernel version is not in the list of affected versions, If so, you can schedule this later as per your time.
Run this command to check the kernel version.

$ uname -rs

Step 2. Download kernel modules 5.15

Download the kernel packages directly from the kernel.ubuntu.com website. Download the latest version available (At the bottom) from the website to a dedicated directory. Change the permission of the files to execute.
Create a directory in your path:

$ mkdir /home/arunkl/kernel-5.15

Change the directory:

$ cd /home/arunkl/kernel-5.15/

Download these two files (where X.Y.Z is the highest version):

1. linux-image-*X.Y.Z*-generic-*.deb
2. linux-modules-X.Y.Z*-generic-*.deb

Commands to download the kernel v5.15

$ wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.15/amd64/linux-image-unsigned-5.15.0-051500-generic_5.15.0-051500.202110312130_amd64.deb

$ wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.15/amd64/linux-modules-5.15.0-051500-generic_5.15.0-051500.202110312130_amd64.deb

Run this command to set the file permission to execution mode:

$ chmod +x *.deb

Step 3. Install kernel module 5.15

Install the downloaded packages using the default dpkg utility then reboot the server.

$ sudo dpkg –install *.deb
$ reboot

Step 4. Check the kernel version after reboot

Use the same command used in the first step. You will see upgraded kernel version if everything goes well.

$ uname -rs

Step 5. How to Fix CVE-2021-43267 on RedHat and CentOS Linux servers

RedHat didn’t release patches to this vulnerability as the latest version of the kernel module RedHat supports is 4.18.0-305, which comes in the not affected version category.

How To Fix CVE-2021-43267 On RedHat And CentOS?

RedHat didn’t release patches to this vulnerability as the latest version of the kernel module RedHat supports is 4.18.0-305, which comes in the not affected version category.

Kernel Version Supported in Red Hat Enterprise Linux 8

Red Hat Enterprise Linux 7

Check the latest kernel versions for older RHEL here.

We hope this post helps you learn How to Fix CVE-2021-43267- A Heap Overflow Vulnerability in Linux Kernel’s TIPC Module. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.