A safety researcher launched exploit code for a high-severity vulnerability in Linux kernel eBPF (Prolonged Berkeley Packet Filter) that may give an attacker elevated privileges on Ubuntu machines.
The bug is tracked as CVE-2021-3490. It was disclosed in Could and is a privilege escalation, so leveraging it requires native entry on the goal machine.
eBPF is a expertise that permits user-supplied applications to run sandboxed contained in the working system’s kernel, triggered by a selected occasion or operate (e.g. system name, community occasions).
Denial-of-service additionally potential
Manfred Paul of the RedRocket CTF crew working with Pattern Micro’s Zero Day Initiative reported the bug. They discovered that CVE-2021-3490 could possibly be changed into out-of-bounds reads and writes within the kernel.
The problem consists in the truth that user-supplied applications don’t undergo a correct validation course of earlier than they’re executed. If correctly exploited, an area attacker may get kernel privileges to run arbitrary code on the machine.
In a blog post this week, exploit developer Valentina Palmiotti, describes the technical particulars behind CVE-2021-3490 and its exploitation on Ubuntu short-term releases 20.10 (Groovy Gorilla) and 21.04 (Hirsute Hippo).
Palmiotti is a lead safety researcher at Grapl, an organization that provides a graphical-based platform for incident detection and response.
Her analysis into this bug additionally covers the specifics for triggering the vulnerability to leverage it for elevated privileges and to create a denial-of-service (DoS) situation on the goal system by locking up all obtainable kernel threads.
The researcher created proof-of-concept exploit code for CVE-2021-3490 and published it on GitHub. A video demonstrating the validity of the exploit is out there beneath:
Earlier this 12 months, Microsoft introduced a brand new open-source mission known as ebpf-for-windows that permits builders to make use of the eBPF expertise on prime of Home windows.
This may be achieved by including a compatibility layer for current eBPF projects to allow them to operate as submodules in Home windows 10 and Home windows Server.
Porting eBPF to Home windows remains to be an early mission that has a whole lot of improvement forward. Palmiotti’s analysis into CVE-2021-3490 was restricted to the Linux implementation. The researcher advised BleepingComputer that due to this, her exploit wouldn’t work on Home windows within the present type.
The PoC works is designed for Groovy Gorilla kernels 5.8.0-25.26 by means of 5.8.0-52.58, and Hirsute Hippo kernel model 5.11.0-16.17. Patches had been launched for each Ubuntu variations.