Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


Critical RCE Vulnerability Reported in Linux Kernel’s TIPC Module

A major security flaw in the Linux Kernel’s Transparent Inter Process Communication (TIPC) module has been disclosed and a patch has been made available. This vulnerability (marked as CVE-2021-43267) can be exploited either locally or remotely to gain kernel privileges, thus allowing an attacker to compromise the entire system.

TIPC is an inter-process communication protocol that allows nodes in a cluster to communicate more efficiently with one another and establish a better level of fault tolerance than with other protocols such as TCP. The vulnerability exists in the message type called “MSG_CRYPTO,” which was introduced into TIPC in September 2020. Within this message type, there is no size validation in the “keylen” attribute, thus allowing an attacker to provide an arbitrary size for this attribute and write outside the bounds of allocated heap memory.

The TIPC module exists within a kernel module packaged with all major Linux distributions, but it is not loaded automatically by the system. The issue has since been addressed in Linux Kernel version 5.15, which was released on October 31st of this year. There have, as of this writing, been no confirmed exploitation of this vulnerability in the wild.

Analyst Notes

Like with all vulnerabilities, it is important to stay up to date on patching. If TIPC is actively being used in an organization, it is recommended to update to Linux Kernel 5.15 as soon as possible to prevent exploitation of this vulnerability.

For organizations not utilizing TIPC, it is recommended to make sure that the TIPC module is not actively loaded on any systems. By preventing unnecessary services from running, the attack surface can be greatly reduced. Likewise, it is recommended to actively disable the TIPC module from being able to be loaded on systems as well. This will help prevent end users, or potentially compromised low-privileged user accounts, from being able to load the module and actively exploit the vulnerability.