A new and highly-effective cross-cache attack named SLUBStick has emerged, targeting the Linux kernel with a remarkable 99% success rate in transforming a limited heap vulnerability into an arbitrary memory read-and-write capability. This allows attackers to elevate privileges or even escape containerized environments, posing significant risks to Linux systems.

It works by tricking the kernel into reusing memory in a specific way, giving attackers complete control over the system. Researchers have tested SLUBStick on multiple Linux versions and found it highly effective, even when the kernel has the latest security protections in place.

Discovery and Impact

The SLUBStick attack was discovered by a team of researchers from Graz University of Technology. They demonstrated the attack on Linux kernel versions 5.9 and 6.2, including the latest releases, showcasing its versatility across both 32-bit and 64-bit systems.

By leveraging nine existing Common Vulnerabilities and Exposures (CVES), the researchers were able to demonstrate that it works effectively even with modern kernel defenses such as Supervisor Mode Execution Prevention (SMEP), Supervisor Mode Access Prevention (SMAP), and Kernel Address Space Layout Randomization (KALSR) enabled.

The researchers also plan to present their findings in detail at the upcoming Usenix Security Symposium, where they will demonstrate privilege escalation and container space using the latest Linux kernels with all defenses active.

Technical Details of SLUBStick

The Linux kernel’s memory management systems involve allocating and deallocating memory chunks, known as “slabs,” for various data structures. While this process is designed to be secure, flaws can occur, leading to potential exploitation through cross-cache attacks. Traditionally, these attacks have been effective only around 40% of the time and often result in system crashes.

SLUBStick, however, capitalizes on a heap vulnerability — such as a double-free, use-after-free, or out-of-bounds write—to manipulate the memory allocation process. The attack employs a timing side channel to pinpoint the precise moment of memory chunk allocation and deallocation. This timing information allows the attacker to predict and control memory reuse, dramatically increasing the success rate of the cross-cache attack to 99%.

The process involves three key steps:

• Freeing specific memory chunks and waiting for the kernel to reuse them.
• Reallocating these chunks in a controlled manner, ensuring they are repurposed for critical data structures like page tables.
• Overwriting the page table entries, granting the attacker ability to read and write to any memory location.

Real-World Implications

Like most side-channel attacks, SLUBStick requires local access to the target machine with the ability to execute code. Additionally, the presence of a heap vulnerability in the Linux kernel is necessary for the attack to succeed.

Despite these requirements, it offers significant advantages to attackers who can gain code execution access:

• Achieve privilege escalation, potentially elevating their privileges to root and gaining unrestricted access to the system.
• Bypass kernel defenses that would typically prevent such exploitation.
• Perform container escapes, breaking out of sandboxed environments and accessing the host system.
• Maintain persistence by modifying kernel structures or hooks, making it harder for defenders to detect and remove malware.

For those interested in exploring this exploitation technique further, the researchers have made their work available on GitHub, providing a valuable resource for security professionals to understand and mitigate the new threat.

Conclusion

While SLUBStick requires local access and a specific heap vulnerability, its ability to bypass modern defenses and achieve high success rates makes it a critical issue for Linux administrators. As threats evolve, so must our defense strategies. Live patching has emerged as a game-changer tool in this ongoing battle, allowing administrators to apply critical security updates without service disruption.

TuxCare’s KernelCare Enterprise offers automated live patching across a wide range of Linux distributions, enabling the deployment of critical security updates to the kernel without requiring a reboot. This ensures that systems remain secure and operational with zero disruption.

Have questions about protecting your Linux systems with automated rebootless patching? Our Linux security experts will be happy to answer your questions.

The sources for this article include a story from BleepingComputer.

The post Critical SLUBStick Exploitation Technique Threatens Linux Security appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/critical-slubstick-exploitation-technique-threatens-linux-security/