Very recently a new vulnerability of the Linux Kernel was announced. It has been assigned CVE-2021-3347, and is (yet another) futex-related vulnerability.
The relevant aspect of this vulnerability is that it affects any kernel from 2008 onwards, up until version 5.10.11. That’s basically anything running today, every kernel version on every distribution. The details of the exploit and PoC code are still not available publicly, but that doesn’t guarantee they don’t exist in the wild.
/* "The futexes are also cursed."
* "But they come in a choice of three flavours!”
(from the futex.c comments)
Futex-related exploits are nothing new, and have been the source of some grief for sysadmins everywhere over the years. The code behind the futexes was originally created as a way to facilitate mutex usage across the kernel and userspace, but the logic quickly gained complexity and many edge cases have been found to cause security issues.
A working exploit can lead to memory corruption through a Use-After-Free, which in turn can lead to privilege escalation, information exfiltration and the usual set of nasty events you don’t want your servers subjected to. Adding insult to injury, it has been classified as easy to exploit, and possible to exploit remotely.
If you’re running KernelCare, we already started rolling out patches for Ubuntu Focal Fossa, Oracle EL 8 and Redhat EL 8, so your systems should be receiving them soon. Other supported systems will follow shortly. We will also have more detailed information regarding this vulnerability in an upcoming blog post, but due to the wide range of affected distributions and the high potential for risk, we are providing this quick brief to raise awareness to the dangers, pending further details.