A novel Linux kernel exploitation technique called SLUBStick elevates a limited heap vulnerability to an arbitrary memory read-and-write primitive and pushes the success rate of cross-cache attacks to above 99%.
A paper published by researchers at Graz University of Technology in Austria explained how the SLUBStick operates in multiple stages.
First, it exploits a timing side channel of the kernel allocator to perform a cross-cache attack reliably. It then exploits code patterns prevalent in the Linux kernel to convert a limited heap bug into a page table manipulation, thereby granting the ability to read and write memory arbitrarily.
The researchers said they demonstrated privilege escalation in the Linux kernel using a synthetic vulnerability and nine real-world CVEs, showcasing SLUBStick as a serious threat.
In the past, cross-cache attacks were considered unreliable, with around a 40% success rate and a high chance to crash the system, explained Adam Neel, senior threat detection engineer at Critical Start. Neel said it’s worth noting that the 99% success rate achieved in the research includes the use of a side-channel attack, which requires local access to the target device, as well as code execution capabilities.
“Requiring local access limits the impact of this, but it is still significant since the vulnerability enables the attacker to break out of sandbox environments and potentially gain root access to the device,” said Neel.
Neel added that the researchers successfully exploited this vulnerability in Linux kernel versions 5.19 and 6.2. Notably, these versions have reached their end-of- life, with 5.19's support ending in October 2022 and 6.2's in May 2023. Neel said no further bug fixes will be issued for these kernels, leaving systems running these versions particularly vulnerable. If possible, Neel said security teams should consider patching systems running these vulnerable kernels and stay aware of any heap vulnerabilities that allow this type of attack.
John Bambenek, president at Bambenek Consulting, pointed out that any Linux system with more recent OS versions should be fine. Bambenek said this exploit technique allows malicious code to escape the container and access memory arbitrarily instead of being constrained in just using the permissions processes. Most heap vulnerabilities tend to not advance beyond denial-of-service (DoS), which allows the possibility of privilege escalation.
“Irrespective of this particular technique, organizations should make sure they have their operating systems updated so underlying security protections are in place,” said Bambenek.
Howard Goodman, technical director at Skybox Security, said to address the risks posed by such sophisticated attacks at SLUBStick, organizations must prioritize robust vulnerability management and advanced detection techniques. Implementing continuous threat exposure management allows for real-time assessment and prioritization of vulnerabilities based on their potential impact and exploitability. And, using the latest threat intelligence is also crucial to staying ahead of emerging threats.
"Immediate upgrades to patched versions of the Linux kernel are essential to mitigate this vulnerability," said Goodman. "For organizations unable to perform immediate upgrades, the principle of least privilege and enhancing isolation mechanisms can offer additional layers of defense. Furthermore, comprehensive security policy management ensures that security protocols are consistently applied and enforced across the organization."
