In the code of the iSCSI subsystem from the Linux kernel vulnerability ( CVE-2021-27365 ) allowing an unprivileged local user to execute kernel-level code and get root privileges on the system. For testing a working prototype of the exploit is available . The vulnerability is fixed in updates for Linux kernel 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260 and 4.4.260. Kernel package updates are available in Debian , Ubuntu , SUSE / openSUSE , Arch Linux and Fedora . For RHEL fix for now not released .
The problem is caused by error in the iscsi_host_get_param () functions from the libiscsi module, contributed back in 2006 during the development of the iSCSI subsystem. Due to the lack of proper size checks, some iSCSI string attributes such as hostname or username may exceed the PAGE_SIZE value (4KB). The vulnerability could be exploited through the sending of Netlink messages by an unprivileged user setting the iSCSI attributes to values greater than PAGE_SIZE. When reading attribute data through sysfs or seqfs, code is called to pass the attributes to sprintf to be copied to a buffer whose size is PAGE_SIZE.