Linux eBPF bug gets root privileges on Ubuntu – Exploit released

A security researcher released exploit code for a high-severity vulnerability in Linux kernel eBPF (Extended Berkeley Packet Filter) that can give an attacker increased privileges on Ubuntu machines.

The bug is tracked as CVE-2021-3490. It was disclosed in May and is a privilege escalation, so leveraging it requires local access on the target machine.

eBPF is a technology that enables user-supplied programs to run sandboxed inside the operating system’s kernel, triggered by a specific event or function (e.g. system call, network events).

Denial-of-service also possible

Manfred Paul of the RedRocket CTF team working with Trend Micro’s Zero Day Initiative reported the bug. They found that CVE-2021-3490 could be turned into out-of-bounds reads and writes in the kernel.

The issue consists of the fact that user-supplied programs do not go through a proper validation process before they’re executed. If properly exploited, a local attacker could get kernel privileges to run arbitrary code on the machine.

In a blog post this week, exploit developer Valentina Palmiotti, describes the technical details behind CVE-2021-3490 and its exploitation on Ubuntu short-term releases 20.10 (Groovy Gorilla) and 21.04 (Hirsute Hippo).

Palmiotti is a lead security researcher at Grapl, a company that offers a graphical-based platform for incident detection and response.

Her research into this bug also covers the specifics for triggering the vulnerability to leverage it for elevated privileges and to create a denial-of-service (DoS) condition on the target system by locking up all available kernel threads.

The researcher created proof-of-concept exploit code for CVE-2021-3490 and published it on GitHub. A video demonstrating the validity of the exploit is available below:

Earlier this year, Microsoft announced a new open-source project called ebpf-for-windows that allows developers to use the eBPF technology on top of Windows.

This would be achieved by adding a compatibility layer for existing eBPF projects so they can function as submodules in Windows 10 and Windows Server.

Porting eBPF to Windows is still an early project that has a lot of development ahead. Palmiotti’s research into CVE-2021-3490 was limited to the Linux implementation. The researcher told BleepingComputer that because of this, her exploit would not work on Windows in the current form.

The PoC is designed for Groovy Gorilla kernels 5.8.0-25.26 through 5.8.0-52.58, and Hirsute Hippo kernel version 5.11.0-16.17. Patches were released for both Ubuntu versions.