Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Linux iscsi security fixes

Related Vulnerabilities: CVE-2021-27365   CVE-2021-27363   CVE-2021-27364  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Linux iscsi security fixes

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Marcus Meissner &lt;meissner () suse de&gt;

Date: Sat, 6 Mar 2021 09:39:24 +0100

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi,

The iscsi developers have just published 3 security fixes to Linux Kernel mainline git.

Reported-by: Adam Nichols &lt;adam () grimm-co com&gt;

(I think) the researcher had requested CVEs, the kernel devs however ommitted them from the commits.

CVE-2021-27365: iscsi_host_get_param() allows sysfs params larger than 4k

        The linux kernel iscsi initiator code allows initiator/target parameters to be negotiated than can be longer 
than 4k, since no limit is imposed. But when these values are displayed via sysfs, the sysfs subsystem limits that 
output to 4k, so the memory above that gets leaked.

        https://bugzilla.suse.com/show_bug.cgi?id=1182715
        
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ec98ea7070e94cc25a422ec97d1421e28d97b7ee
        
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5

        (not sure if both directly associated, but both fix the same class of issues)

(2 fixes in 1 upstream commit, just in 2 seperate hunks:)

CVE-2021-27363: kernel-source: show_transport_handle() shows iSCSI transport handle to non-root users

        The iscsi initiator kernel subsystem makes the transport handle available via sysfs so that the iscsid daemon 
can access it, but it makes this visible to all users, making it possible for non-root users to attack the iscsi 
subsystem using this knowledge, particularly together with CVE-2021-27364, which allows non-root users to user the 
netlink socket to talk to the iscsi kernel subsystem.

        https://bugzilla.suse.com/show_bug.cgi?id=1182716
        
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=688e8128b7a92df982709a4137ea4588d16f24aa

CVE-2021-27364: kernel-source: iscsi_if_recv_msg() allows non-root users to connect and send commands
        This vulnerability allows any user to connect to the iscsi NETLINK socket and send commands to the kernel, such 
as "end a session", which is not good.

        Together with CVE-2021-27363, this allows non-root bad actors to end sessions arbitrarily. (See bsc#1182716).
        https://bugzilla.suse.com/show_bug.cgi?id=1182717
        
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=688e8128b7a92df982709a4137ea4588d16f24aa

Ciao, Marcus

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Linux iscsi security fixes Marcus Meissner (Mar 06)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started