Overview
Recently, NSFOCUS CERT found that a security researcher published details and the PoC of an arbitrary code execution vulnerability (CVE-2021-3490) in eBPF and exploited this vulnerability to cause local privilege escalation on Ubuntu 20.10 and 21.04. This vulnerability exists because the eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds. This could cause out-of-bounds reads and writes in the Linux kernel, leading to arbitrary code execution. On May 11, the vendor released new versions to fix this vulnerability. Users of the vulnerable software are advised to take protective measures as soon as possible.
ExtendedBerkeley Packet Filter (eBPF) is a kernel technique (from Linux 4.x) that allows programs to run without having to change the kernel source code or adding additional modules. It is a lightweight sandbox virtual machine inside the Linux kernel, where programmers can run BPF bytecode that takes advantage of specific kernel resources.
Reference link: https://www.openwall.com/lists/oss-security/2021/05/11/11
Scope of Impact
Affected Versions
Linux kernel < 5.13-rc4
Check for the Vulnerabilities
Version Check
Users of the Linux system could run the following command to check the current version to determine whether it is vulnerable:
cat /proc/version
Mitigation
Official Fix
Currently, the vendor has released new versions to fix this vulnerability. If you are affected by this vulnerability, please upgrade your installation as soon as possible by downloading new updates from https://www.kernel.org.
Method 1: Upgrde the Linux Kernel
https://github.com/torvalds/linix/releases
Method 2: Patches have been released for the Linux code library. Affected users are advised to apply the patches.
For details about this vulnerability, please visit BPF kernel tree.
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
