Fedora Account System
Red Hat Associate
Red Hat Customer
An issue has been discovered in the BPF JIT compiler in the Linux kernel that can be abused by priviledged local users (root or CAP_SYS_ADMIN) to escalate privileges. This depends on permission to execute eBPF system call.
Statement: This flaw is rated as having Moderate impact as eBPF requires a privileged user on Red Hat Enterprise Linux to correctly load eBPF instructions that can be exploited.
Mitigation: To exploit this flaw, an attacker would need to be a privileged user. The eBPF JIT can not be disabled in the versions of the kernel that ship with RHEL9. Preventing unprivileged users from becoming root or CAP_SYS_ADMIN , would be enough to prevent an attacker from successfully exploiting this flaw.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1947631]
The following options does not work in Fedora 33: [root@test ~]# sysctl net.core.bpf_jit_enable=0 sysctl: setting key "net.core.bpf_jit_enable": Invalid argument [root@test ~]# echo 0 > /proc/sys/net/core/bpf_jit_enable -bash: echo: write error: Invalid argument I think it has something to do with the kernel build option CONFIG_BPF_JIT_ALWAYS_ON=y
Upstream fix https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=e4d4d456436bfb2fe412ee2cd489f7658449b098
Yeah, it looks like CONFIG_BPF_JIT_ALWAYS_ON=y is the default for el7 and el8. This mitigation isn't going to work. Fortunately, it's still behind a privileged user requirement to execute eBPF.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3327 https://access.redhat.com/errata/RHSA-2021:3327
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3328 https://access.redhat.com/errata/RHSA-2021:3328
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-29154
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988