Now-fixed vulnerabilities enabled local privilege escalation
Positive Technologies security researcher Alexander Popov has discovered and fixed five similar issues in the virtual socket implementation of the Linux kernel. These vulnerabilities could be exploited for local privilege escalation, as confirmed by Popov in experiments on Fedora 33 Server. The vulnerabilities, known together as CVE-2021-26708, have received a CVSS v3 base score of 7.0 (high severity).
These vulnerabilities result from race conditions 1 that were implicitly added with virtual socket multi-transport support. They appeared in Linux kernel version 5.5 in November 2019. The vulnerable kernel drivers (CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS) are shipped as kernel modules in all major GNU/Linux distributions. The vulnerable modules are automatically loaded when an AF_VSOCK socket is created. This ability is available to unprivileged users.
Popov said: "I successfully developed a prototype exploit for local privilege escalation on Fedora 33 Server, bypassing x86_64 platform protections such as SMEP and SMAP. This research will lead to new ideas on how to improve Linux kernel security."
Popov prepared the fixing patch and disclosed the vulnerabilities responsibly to the Linux kernel security team. The patch has been merged into mainline kernel version 5.11-rc7 and backported into affected stable trees.
Previously, Popov discovered and fixed Linux kernel vulnerabilities CVE-2019-18683 and CVE-2017-2636.
- A race condition occurs when a system's substantive behavior depends on the sequence or timing of uncontrollable events: https://en.wikipedia.org/wiki/Race_condition