Discussion:
Serious Security: The Linux kernel bugs that surfaced after 15 years
Add Reply
Manu Raju
2021-03-28 05:12:57 UTC
Reply
Permalink
<https://nakedsecurity.sophos.com/2021/03/17/serious-security-the-linux-kernel-bugs-that-surfaced-after-15-years/>
J.O. Aho
2021-03-28 10:00:30 UTC
Reply
Permalink
Post by Manu Raju
<https://nakedsecurity.sophos.com/2021/03/17/serious-security-the-linux-kernel-bugs-that-surfaced-after-15-years/>
Only serious if you use iSCSI which the majority of Linux users don't,
sure the impact could be bad if your cloud service used iSCSI instead of
distributed storage.

The effect of the bugs are far smaller than the ms-exchange bug recently
found.
--
//Aho
William Unruh
2021-03-28 15:50:11 UTC
Reply
Permalink
David W. Hodgins
2021-03-28 16:10:32 UTC
Reply
Permalink
Post by J.O. Aho
Post by Manu Raju
<https://nakedsecurity.sophos.com/2021/03/17/serious-security-the-linux-kernel-bugs-that-surfaced-after-15-years/>
Only serious if you use iSCSI which the majority of Linux users don't,
sure the impact could be bad if your cloud service used iSCSI instead of
distributed storage.
The effect of the bugs are far smaller than the ms-exchange bug recently
found.
"The researchers were able to find software that an unprivileged
attacker could run in order to activate the buggy driver code they’d
found, and they were able to produce working exploits"
The point is that iscsi is rarely used. It has no impact on systems that do not
use iscsi (internet scsi). MS exchange is used on almost all servers using windows.

Regards, Dave Hodgins
--
Change ***@nomail.afraid.org to ***@teksavvy.com for
email replies.
William Unruh
2021-03-28 18:03:52 UTC
Reply
Permalink
y***@novalid.com
2021-03-28 18:37:29 UTC
Reply
Permalink
On Sun, 28 Mar 2021 18:03:52 -0000 (UTC)
The question is whether or not someone can get onto a machine which does
not use iscsi, but where the module for iscsi is installed on the
machine, and use these bugs to to get at the machine. The implication
from the web page is yes, it can be so used. If true, then whether or
not that machine uses iscsi is irrelevant. But I certainly do not know
if it can thus be used.
from page you linked

Fortunately, it seemed that no one else had looked at the code for all that time, at least not diligently enough to spot the bugs, so they’re now patched and the three CVEs they found are now fixed:

so no problemo
--
Mint 20.00, kernel 5.4.0-58-generic, Cinnamon 4.6.7
running on an AMD Ryzen 3 3200G with Radeon Vega Graphics×4 with 16GB of DRAM.
David W. Hodgins
2021-03-28 18:25:23 UTC
Reply
Permalink
Post by David W. Hodgins
Post by J.O. Aho
Post by Manu Raju
<https://nakedsecurity.sophos.com/2021/03/17/serious-security-the-linux-kernel-bugs-that-surfaced-after-15-years/>
Only serious if you use iSCSI which the majority of Linux users don't,
sure the impact could be bad if your cloud service used iSCSI instead of
distributed storage.
The effect of the bugs are far smaller than the ms-exchange bug recently
found.
"The researchers were able to find software that an unprivileged
attacker could run in order to activate the buggy driver code they’d
found, and they were able to produce working exploits"
The point is that iscsi is rarely used. It has no impact on systems that do not
use iscsi (internet scsi). MS exchange is used on almost all servers using windows.
No idea why MS exchange is coming in here. Their announcement was never
a competition.
The question is whether or not someone can get onto a machine which does
not use iscsi, but where the module for iscsi is installed on the
machine, and use these bugs to to get at the machine. The implication
from the web page is yes, it can be so used. If true, then whether or
not that machine uses iscsi is irrelevant. But I certainly do not know
if it can thus be used.
My standard Mageia 7 installation has a directory
/usr/lib/modules/5.10.19-desktop-1.mga7/kernel/drivers/target/iscsi
which suggests that the module is available and could be loaded by an
"appropriate program".
The module can be auto loaded, but isn't in most distributions, unless you've
configured iscsi devices.
# zgrep ISCSI_TCP /proc/config.gz
CONFIG_ISCSI_TCP=m

In addition, to that, the iscsi device(s) would have to be accessible from
the internet for the exploit to be remotely vulnerable.

So no firewall, and either directly connected to the net or with a router set
to forward traffic to tcp ports 860 and 3260 on one of the systems configured
to use iscsi.

It's possible, but pretty rare.

Regards, Dave Hodgins
--
Change ***@nomail.afraid.org to ***@teksavvy.com for
email replies.
David W. Hodgins
2021-03-28 18:45:50 UTC
Reply
Permalink
Post by David W. Hodgins
In addition, to that, the iscsi device(s) would have to be accessible from
the internet for the exploit to be remotely vulnerable.
Just checked the kernel update that fixed the last part of the issue for Mageia was
released March 22th, 2021.
https://advisories.mageia.org/MGASA-2021-0151.html

Regards, Dave Hodgins
--
Change ***@nomail.afraid.org to ***@teksavvy.com for
email replies.
J.O. Aho
2021-03-29 05:32:06 UTC
Reply
Permalink
Post by David W. Hodgins
Post by J.O. Aho
Post by Manu Raju
<https://nakedsecurity.sophos.com/2021/03/17/serious-security-the-linux-kernel-bugs-that-surfaced-after-15-years/>
Only serious if you use iSCSI which the majority of Linux users don't,
sure the impact could be bad if your cloud service used iSCSI instead of
distributed storage.
The effect of the bugs are far smaller than the ms-exchange bug recently
found.
"The researchers were able to find software that an unprivileged
attacker could run in order to activate the buggy driver code they’d
found, and they were able to produce working exploits"
The point is that iscsi is rarely used. It has no impact on systems that do not
use iscsi (internet scsi). MS exchange is used on almost all servers using windows.
No idea why MS exchange is coming in here. Their announcement was never
a competition.
To show what a real serious bug is that is easily remote executed and
actively used.
The question is whether or not someone can get onto a machine which does
not use iscsi, but where the module for iscsi is installed on the
machine, and use these bugs to to get at the machine. The implication
from the web page is yes, it can be so used. If true, then whether or
not that machine uses iscsi is irrelevant. But I certainly do not know
if it can thus be used.
By default you will not have it loaded nor have you configured a device
to use it in your fstab or multi path configuration, so there will not
be anything that loads it, which leaves you need root access or a
vulnerability that gives you that privilege.

simple verification: lsmod | grep iscsi
My standard Mageia 7 installation has a directory
/usr/lib/modules/5.10.19-desktop-1.mga7/kernel/drivers/target/iscsi
which suggests that the module is available and could be loaded by an
"appropriate program".
rm -rf /usr/lib/modules/5.10.19-desktop-1.mga7/kernel/drivers/target/iscsi

and problem solved.
--
//Aho
David W. Hodgins
2021-03-29 07:07:55 UTC
Reply
Permalink
Post by J.O. Aho
By default you will not have it loaded nor have you configured a device
to use it in your fstab or multi path configuration, so there will not
be anything that loads it, which leaves you need root access or a
vulnerability that gives you that privilege.
simple verification: lsmod | grep iscsi
It would also be vulnerable if a distro or person compiles their kernel with
the module builtin rather then as a loadable module. I doubt anyone or a distro
would do that unless they actually use it.

It may be builtin in some internet of things devices, but I doubt there are
any that do.

Regards, Dave Hodgins
--
Change ***@nomail.afraid.org to ***@teksavvy.com for
email replies.
DanS
2021-03-29 21:53:09 UTC
Reply
Permalink
On 2021-03-28, David W. Hodgins
On Sun, 28 Mar 2021 11:50:11 -0400, William Unruh
Post by J.O. Aho
Post by Manu Raju
<https://nakedsecurity.sophos.com/2021/03/17/serious-sec
urity-the-linux-kernel-bugs-that-surfaced-after-15-years
/>
Only serious if you use iSCSI which the majority of
Linux users don't, sure the impact could be bad if your
cloud service used iSCSI instead of distributed storage.
The effect of the bugs are far smaller than the
ms-exchange bug recently found.
"The researchers were able to find software that an
unprivileged attacker could run in order to activate the
buggy driver code they’d found, and they were able to
produce working exploits"
The point is that iscsi is rarely used. It has no impact
on systems that do not use iscsi (internet scsi). MS
exchange is used on almost all servers using windows.
No idea why MS exchange is coming in here
LOL...Really?

I see it as the same thing as Trumpers, whenever you talk about things he'd done that
you don't like....and have verified facts and information to completely support your view
on it, and they'll be all...

"...bu, bu, bu, bu..what about Hillary?!?!"

I STILL hear this, even after Biden was sworn in.
Aragorn
2021-03-30 11:11:35 UTC
Reply
Permalink
Post by DanS
I see it as the same thing as Trumpers, whenever you talk about
things he'd done that you don't like....and have verified facts and
information to completely support your view on it, and they'll be
all...
"...bu, bu, bu, bu..what about Hillary?!?!"
I STILL hear this, even after Biden was sworn in.
You should check out the latest conspiracy theory regarding Hillary.

The QAnon idiots are now claiming that Trump's "white hats" have
deliberately caused that container ship to get lodged in the Suez Canal
because there are allegedly children in those containers that the
reptilian shapeshifting communist pedophiles from the 76th dimension of
the Pizzagate™ pedo ring are smuggling around the world. And Hillary
even put her name on the ship, because its registration number is
"HR7C" (or something like that).

I kid you not. 10 million Americans believe that shit. <facepalm>
--
With respect,
= Aragorn =
Bobbie Sellers
2021-03-30 15:22:04 UTC
Reply
Permalink
Post by Aragorn
Post by DanS
I see it as the same thing as Trumpers, whenever you talk about
things he'd done that you don't like....and have verified facts and
information to completely support your view on it, and they'll be
all...
"...bu, bu, bu, bu..what about Hillary?!?!"
I STILL hear this, even after Biden was sworn in.
You should check out the latest conspiracy theory regarding Hillary.
The QAnon idiots are now claiming that Trump's "white hats" have
deliberately caused that container ship to get lodged in the Suez Canal
because there are allegedly children in those containers that the
reptilian shapeshifting communist pedophiles from the 76th dimension of
the Pizzagate™ pedo ring are smuggling around the world. And Hillary
even put her name on the ship, because its registration number is
"HR7C" (or something like that).
I kid you not. 10 million Americans believe that shit. <facepalm>
If it was only 10 million Americans but probably closer to
to at least 3 times that. We have about 330,000,000 Americans
which is why vaccination is such a monumental task. Now I know
perfectly well that microchips are not yet so refined as to
be injectable or permitted in vaccines but if they were I
would be glad to keep track of these Know-Nothings. If
they believe such stupid ideas then they will be needing
help.

bliss- Oh, drat these computers. They're so naughty and so complex. I
could pinch them. --Marvin the Martian
--
bliss dash SF 4 ever at dslextreme dot com
Alfonso P Cutaway
2021-03-31 17:09:53 UTC
Reply
Permalink
Post by DanS
Post by David W. Hodgins
Post by J.O. Aho
Post by Manu Raju
<https://nakedsecurity.sophos.com/2021/03/17/serious-sec
urity-the-linux-kernel-bugs-that-surfaced-after-15-years />
Only serious if you use iSCSI which the majority of Linux users
don't, sure the impact could be bad if your cloud service used iSCSI
instead of distributed storage.
The effect of the bugs are far smaller than the ms-exchange bug
recently found.
"The researchers were able to find software that an unprivileged
attacker could run in order to activate the buggy driver code they’d
found, and they were able to produce working exploits"
The point is that iscsi is rarely used. It has no impact on systems
that do not use iscsi (internet scsi). MS exchange is used on almost
all servers using windows.
No idea why MS exchange is coming in here
LOL...Really?
I see it as the same thing as Trumpers, whenever you talk about things
he'd done that you don't like....and have verified facts and information
to completely support your view on it, and they'll be all...
"...bu, bu, bu, bu..what about Hillary?!?!"
I STILL hear this, even after Biden was sworn in.
B Biggest

I Idiot

D Democrats

E Ever

N Nominated
Bobbie Sellers
2021-03-31 18:13:22 UTC
Reply
Permalink
Post by Alfonso P Cutaway
Post by DanS
Post by David W. Hodgins
Post by J.O. Aho
Post by Manu Raju
<https://nakedsecurity.sophos.com/2021/03/17/serious-sec
urity-the-linux-kernel-bugs-that-surfaced-after-15-years />
Only serious if you use iSCSI which the majority of Linux users
don't, sure the impact could be bad if your cloud service used iSCSI
instead of distributed storage.
The effect of the bugs are far smaller than the ms-exchange bug
recently found.
"The researchers were able to find software that an unprivileged
attacker could run in order to activate the buggy driver code they’d
found, and they were able to produce working exploits"
The point is that iscsi is rarely used. It has no impact on systems
that do not use iscsi (internet scsi). MS exchange is used on almost
all servers using windows.
No idea why MS exchange is coming in here
LOL...Really?
I see it as the same thing as Trumpers, whenever you talk about things
he'd done that you don't like....and have verified facts and information
to completely support your view on it, and they'll be all...
"...bu, bu, bu, bu..what about Hillary?!?!"
I STILL hear this, even after Biden was sworn in.
B Biggest
I Idiot
D Democrats
E Ever
N Nominated
Trump is biggest idiot any political party every advanced to the
Presidency. Biden is a man who started running for president before you
were hatched. He knows more about the job than anyone since Truman and
Franklin Roosevelt. Sadly we will never experience the leadership of
Hillary Clinton but she could not have done worse than Trump and likely
would have done much better without sacrificing our honor to enrich
herself as Mr. Trump did over and over again.

Soon he will be in court discussing his mistreatment of
young women.

bliss
DanS
2021-04-03 11:28:04 UTC
Reply
Permalink
Post by Alfonso P Cutaway
Post by DanS
On 2021-03-28, David W. Hodgins
On Sun, 28 Mar 2021 11:50:11 -0400, William Unruh
Post by J.O. Aho
Post by Manu Raju
<https://nakedsecurity.sophos.com/2021/03/17/serious-s
ec
urity-the-linux-kernel-bugs-that-surfaced-after-15-yea
rs />
Only serious if you use iSCSI which the majority of
Linux users don't, sure the impact could be bad if
your cloud service used iSCSI instead of distributed
storage.
The effect of the bugs are far smaller than the
ms-exchange bug recently found.
"The researchers were able to find software that an
unprivileged attacker could run in order to activate
the buggy driver code they’d found, and they were
able to produce working exploits"
The point is that iscsi is rarely used. It has no impact
on systems that do not use iscsi (internet scsi). MS
exchange is used on almost all servers using windows.
No idea why MS exchange is coming in here
LOL...Really?
I see it as the same thing as Trumpers, whenever you talk
about things he'd done that you don't like....and have
verified facts and information to completely support your
view on it, and they'll be all...
"...bu, bu, bu, bu..what about Hillary?!?!"
I STILL hear this, even after Biden was sworn in.
B Biggest
I Idiot
D Democrats
E Ever
N Nominated
Perhaps...only time will tell.

J.O. Aho
2021-03-28 16:25:29 UTC
Reply
Permalink
Post by J.O. Aho
Post by Manu Raju
<https://nakedsecurity.sophos.com/2021/03/17/serious-security-the-linux-kernel-bugs-that-surfaced-after-15-years/>
Only serious if you use iSCSI which the majority of Linux users don't,
sure the impact could be bad if your cloud service used iSCSI instead of
distributed storage.
The effect of the bugs are far smaller than the ms-exchange bug recently
found.
"The researchers were able to find software that an unprivileged
attacker could run in order to activate the buggy driver code they’d
found, and they were able to produce working exploits"
You need to load the module before you can exploit it, this will in most
cases require you gain root access, and then run the exploit, this of
course requires you have some kind of access to the machine either
another set of vulnerabilities or an account.

Sure if you already have some network scsi devices mounted, then it's
just get to execute the code, either by other vulnerabilities or an
account on the machine.


Compare that with the current vulnerability in ms-exchange which is
remotely exploitable and only needs a tweaked set of packages to be sent
to gain hold of the system. Exploit was released on github which
microsoft went and deleted without the repository owner knew of it, but
I would say that was already too late as the exploit is use widely out
in the wild. CVE-2021-26855 (critical), CVE-2021-26857 (high),
CVE-2021-26858 (high), CVE-2021-27065 (high).


So is the iSCSI bug a wolf or maybe just a mouse, sure there are systems
where it could cause a lot of problems, but the majority of Linux
devices do not use iSCSI.
--
//Aho
William Unruh
2021-03-28 18:07:12 UTC
Reply
Permalink
David W. Hodgins
2021-03-28 20:40:42 UTC
Reply
Permalink
The web page intimates that an attacker with user priviledges (not root)
could run an appropriate program to get that module loaded and then use
the bugs. They do not give enough information to show how.
Only if root has already configured an iscsi device that the user can mount.

Regards, Dave Hodgins
--
Change ***@nomail.afraid.org to ***@teksavvy.com for
email replies.
TheSidhe
2021-03-28 22:23:43 UTC
Reply
Permalink
Post by Manu Raju
<https://nakedsecurity.sophos.com/2021/03/17/serious-security-the-linux-kernel-bugs-that-surfaced-after-15-years/>
From the article--
…in code that had been sitting there inconspicuously for some 15 years.

Fortunately, it seemed that no one else had looked at the code for all
that time, at least not diligently enough to spot the bugs, so they’re
now patched and the three CVEs they found are now fixed:

CVE-2021-27365. Exploitable heap buffer overflow due to the use of
sprintf().
CVE-2021-27363. Kernel address leak due to pointer used as unique ID.
CVE-2021-27364. Buffer overread leading to data leakage or denial
of service (kernel panic).

and I asked myself what does this mean, it made me feel unhappy and
incompetent that I did not know what "Exploitable heap buffer overflow
due to the use of sprintf" and upon further reflection I asked for
information about the isp for the website here is what I got--





IPv4
IPv6
ISP
Domain
My IP
Options
About

Server IP:
Reverse DNS (PTR) <no PTR record>
AS number AS2635
AS name (ISP) Automattic, Inc
IP-range/subnet 192.0.66.0/24
Network tools
Location United States (US)

Hosting
Number of domains hosted 31
Domain DomainRank
nabshow.com 62
edn.com 57
thecmoclub.com 51
vinsolutions.com 43
radioshowweb.com 36
DNSBL
IP address is listed.
DNSBL Status DNSBL Status
dnsbl.spfbl.net Listed b.barracudacentral.org OK
bl.spamcop.net OK cbl.abuseat.org OK
db.wpbl.info OK dnsbl-1.uceprotect.net OK
dnsbl-2.uceprotect.net OK dnsbl-3.uceprotect.net OK
dnsbl.dronebl.org OK dnsbl.sorbs.net OK
dul.dnsbl.sorbs.net OK dyna.spamrats.com OK
http.dnsbl.sorbs.net OK ips.backscatterer.org OK
korea.services.net OK misc.dnsbl.sorbs.net OK
pbl.spamhaus.org OK psbl.surriel.com OK
sbl.spamhaus.org OK smtp.dnsbl.sorbs.net OK
spam.dnsbl.sorbs.net OK spam.spamrats.com OK
recent.spam.dnsbl.sorbs.net OK ubl.unsubscore.com OK
xbl.spamhaus.org OK zen.spamhaus.org OK
Whois

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2021, American Registry for Internet Numbers, Ltd.
#


NetRange: 192.0.64.0 - 192.0.127.255
CIDR: 192.0.64.0/18
NetName: AUTOMATTIC
NetHandle: NET-192-0-64-0-1
Parent: NET192 (NET-192-0-0-0-0)
NetType: Direct Assignment
OriginAS: AS2635
Organization: Automattic, Inc (AUTOM-93)
RegDate: 2012-11-20
Updated: 2012-11-20
Ref: https://rdap.arin.net/registry/ip/192.0.64.0


OrgName: Automattic, Inc
OrgId: AUTOM-93
Address: 60 29th Street #343
City: San Francisco
StateProv: CA
PostalCode: 94110
Country: US
RegDate: 2011-10-05
Updated: 2019-11-21
Ref: https://rdap.arin.net/registry/entity/AUTOM-93


OrgNOCHandle: NOC12276-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-877-273-8550
OrgNOCEmail: ***@automattic.com
OrgNOCRef: https://rdap.arin.net/registry/entity/NOC12276-ARIN

OrgAbuseHandle: ABUSE3970-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-877-273-8550
OrgAbuseEmail: ***@automattic.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3970-ARIN

OrgTechHandle: NOC12276-ARIN
OrgTechName: NOC
OrgTechPhone: +1-877-273-8550
OrgTechEmail: ***@automattic.com
OrgTechRef: https://rdap.arin.net/registry/entity/NOC12276-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2021, American Registry for Internet Numbers, Ltd.
#
------------------

Notice the name Automattic, Inc, employing 1700 people, and thus I will
continue to use Linux in every way.
William Unruh
2021-03-29 06:11:42 UTC
Reply
Permalink
Loading...