New Linux kernel attack slips past modern defenses — SLUBStick boasts a 99% success rate
Attack vector boasts 99% success rate under many conditions
Researchers at the Graz University of Technology in Austria have found a new cross-cache attack (PDF) that can bypass modern kernel defenses and provide arbitrary read and write access. The exploits involved affect Linux kernel versions 5.19 and 6.2.
The team has dubbed the attack technique SLUBStick. This attack vector takes advantage of memory reuse of the kernel allocator in a novel way, making it more reliable than most other cross-cache attacks. Whereas most cross-cache attacks have a success rate of just 40%, the researchers pushed SLUBStick to a 99% success rate for frequently used generic caches.
This success rate comes despite the modern security protections available for the Linux kernel. Recognizing the susceptibility of the Linux kernel to memory safety vulnerabilities, researchers and kernel developers have included defenses to inhibit the success of cross-cache attacks.
SLUBStick, however, is capable of bypassing Supervisor Mode Execution Prevention (SMEP), Supervisor Mode Access Prevention (SMAP), and Kernel Address Space Layout Randomization (KASLR). The researchers note that existing kernel defenses promise to reduce SLUBStick’s threat, but none currently provide comprehensive protection. Therefore, the danger of exploitation via SLUBStick is still natural, even with kernel defenses in use.
CVE | Capability | Cache |
---|---|---|
CVE-2023-21400 | Double Free | kmalloc-32 |
CVE-2023-3609 | Use After Free | kmalloc-96 |
CVE-2022-32250 | Use After Free | kmalloc-64 |
CVE-2022-29582 | Use After Free | files_cachep |
CVE-2022-27666 | Out Of Bounds | kmalloc-4096 |
CVE-2022-2588 | Double Free | kmalloc-192 |
CVE-2022-0995 | Out Of Bounds | kmalloc-96 |
CVE-2021-4157 | Out Of Bounds | kmalloc-64 |
CVE-2021-3492 | Double Free | kmalloc-4096 |
SLUBStick takes advantage of a heap vulnerability in Linux’s memory management to gain elevated privileges, break out of sandbox environments in virtual machines, and gain root access to the host system. Even worse, the technique uses a side-channel exploit to observe memory usage and determine the exact moment of whether or not to reallocate a memory hash. This means that SLUBStick can predict and control memory reuse to increase its success rate.
For SLUBStick to work, attackers need local access to the attacked Linux system. The attack also requires the presence of a heap vulnerability in the Linux kernel, which has been found in both the 5.19 Linux kernel and the 6.2 kernel.
The researchers systematically analyzed the attack on the two Linux kernel versions, finding that SLUBStick was effective at executing on generic cache from kmalloc-08 through kmalloc-4096. Using a synthetic vulnerability and nine real-world CVEs, they tested the attack method to escalate privileges and gain root access.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
SLUBStick was tested on both x86 and aarch64 virtual machines, and it is equally effective on Intel—and AMD-based processors and Arm CPUs. The team notes that the attack technique afforded by SLUBStick “greatly enhances the reliability of cross-cache attacks from generic caches and makes them practical for exploitation.” In other words, SLUBStick can make other attacks more successful and effective.
Jeff Butts has been covering tech news for more than a decade, and his IT experience predates the internet. Yes, he remembers when 9600 baud was “fast.” He especially enjoys covering DIY and Maker topics, along with anything on the bleeding edge of technology.
-
bit_user
This makes it sound like the attack relies on the presence of a bug in those two kernel versions. If it were a design flaw, then it should affect a broader range of revisions.The article said:The attack also requires the presence of a heap vulnerability in the Linux kernel, which has been found in both the 5.19 Linux kernel and the 6.2 kernel.
FWIW, 6.11 is the current kernel version nearing release. 6.6 is the latest LTS (Long-Term Support) kernel, I think. 6.1 is the latest SLTS (Super Long-Term Support) kernel. Good thing neither of those seems to be affected. -
RichardtST At this point in time with all the automated testing, and with all the memory management tools available, any memory mismanagement issues are almost invariably intentional back doors. And why bother with the kernel anyway when any shell with an input prompt will get you root? Computer Security is more like the front door on your house. It's only there to stop the good guys.Reply -
Kilzzz "For SLUBStick to work, attackers need local access to the attacked Linux system."Reply
Once someone has local access, you have lost regardless of this bug. At least its not a remote access problem, and will likely be patched soon. -
bit_user
First, if they're saying physical access, that's wrong. The vulnerability sounds like all it requires is the ability to get some code executed on the victim machine. Probably native code, at that - I doubt Javascript or web assembler would be adequate.Kilzzz said:"For SLUBStick to work, attackers need local access to the attacked Linux system."
Once someone has local access, you have lost regardless of this bug. At least its not a remote access problem, and will likely be patched soon.
Second, I don't know if that changes your statement, but privilege-escalation vulnerabilities are serious and taken seriously. It's not considered a foregone conclusion that unprivileged users or services can gain root on a machine. -
salgado18
Maybe the article is not clear enough, but I understood that the researchers tested these two kernel versions, instead of stating that only these two are affected.bit_user said:This makes it sound like the attack relies on the presence of a bug in those two kernel versions. If it were a design flaw, then it should affect a broader range of revisions.
FWIW, 6.11 is the current kernel version nearing release. 6.6 is the latest LTS (Long-Term Support) kernel, I think. 6.1 is the latest SLTS (Super Long-Term Support) kernel. Good thing neither of those seems to be affected. -
bit_user
You might be right. The article is pretty clear about indicating two affected kernel versions, but the original paper and other reporting I can find on it sounds a little more consistent with your interpretation.salgado18 said:Maybe the article is not clear enough, but I understood that the researchers tested these two kernel versions, instead of stating that only these two are affected.
Upon a closer read of the paper, it's not a new vulnerability, but rather a way to exploit allocator-based vulnerabilities to greater effect. From the abstract:
"In this paper, we present SLUBStick, a novel kernel exploitation technique elevating a limited heap vulnerability to an arbitrary memory read-and-write primitive."
I find it kinda funny that the paper talks about porting known vulnerabilities to the two kernels they used for testing. This underscores the fact that it's not a new vulnerability, but rather a technique for more effectively exploiting that class of vulnerabilities (including those we don't yet know about).