CVE-2021-26708: Linux kernel vulnerabilities enabled local privilege escalation alert

Recently, Alexander Popov, a Linux security developer from Positive Technologies, discovered and fixed five security vulnerabilities in the implementation of Linux kernel virtual sockets. Attackers can use this vulnerability (CVE-2021-26708) to obtain root permissions and launch Denial of Service (DoS) attacks on the server.

This vulnerability appeared when virtual socket multi-transmission support was added. This network transmission facilitates the communication between the virtual machine (VM) and its host. It is usually used by proxy and hypervisor services, which require a communication channel independent of the virtual machine’s network configuration. As a result, people who run virtual machines on the cloud are particularly vulnerable.

The core issue of the vulnerability is the competition between the kernel drivers CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS. In all major Linux distributions, these drivers are shipped as kernel modules. The reason for such a serious problem is that these vulnerable modules are automatically loaded whenever a normal user creates an AF_VSOCK socket. When the actual behavior of the system depends on the sequence or timing of uncontrollable events, there will be competition.

However, this vulnerability has been patched and merged into the main branch. Popular Linux distributions such as Red Hat Enterprise Linux (RHEL) 8, Debian, Ubuntu, and SUSE have also adopted the patch. The Common Vulnerability Scoring System (CVSS) v3 of the vulnerability has a basic score of 7.0, which is of high severity. Therefore, users are recommended to update the system as soon as possible.