The first batch of live patches for Rocky Linux are being delivered

As you may have seen, TuxCare’s Live Patching service, KernelCare Enterprise, now supports Rocky Linux. The first 5 CVEs fixed are already being delivered through the service. So let’s take a deeper look at these in this article.

The Kernel shipping with Rocky Linux, like others, was found to be vulnerable to CVE-2020-26541, CVE-2021-22555, CVE-2021-32399, CVE-2021-33034, and CVE-2021-33909.

Starting with CVE-2020-26541, this is a flaw in how the Secure Boot Forbidden Signature Database (dbx) is enforced. This list of signatures should not be accepted as valid when added to the Secure Boot store, and the code that checks the list ignores signatures with a specific EFI_CERT_X509_GUID attribute. According to Redhat’s analysis of the issue, it can lead to a breach in system integrity, confidentiality, and potentially a denial of service. For those interested in checking, the affected code lies in certs/blacklist.c and certs/system_keyring.c.

CVE-2021-22555 refers to an out-of-bounds heap write that happens in a code path in net/netfilter/x_tables.c, which, in specific system configurations, can lead to privilege elevation or memory corruption. The system has to have specific options included in the kernel (CONFIG_USER_NS and CONFIG_NET_NS) to be exploitable.

For systems where Bluetooth is used, CVE-2021-32399 identifies a race condition during Host Controller Interface (HCI) removal that can corrupt memory and, for a properly motivated attacker, result in privilege escalation. Servers will usually have Bluetooth modules blacklisted, but if they don’t, then these can be affected by this issue.

Also, in the Bluetooth subsystem, a use-after-free flaw was found in hci_send_acl that could be exploited to result in a denial of service of the affected system. This issue was assigned CVE-2021-33034.

CVE-2021-33909, otherwise known under the more flamboyant name “Sequoia”, is a vulnerability that affects all Linux distributions, including Rocky Linux. It has already been covered by us before. It is basically a flaw in the way a conversion is made on the file path length of a specially crafted, very deep, directory path. When such a path (whose total length must exceed 1GB – note that it is not the directory used storage space, it’s the actual name of the directories) is then operated upon with specific commands, it is possible to corrupt memory space in a predictable location. This potentially changes memory in such a way as to create an escalation of privilege situation. While it requires a complex set of operations to perform,  exploit code has been found available online.

The TuxCare’s KernelCare Enterprise Team will continue to deliver thoroughly tested patches in a timely manner for all supported distributions, including the newly added Rocky Linux.