An issue has been discovered in the BPF JIT compiler in the Linux kernel that can be abused by priviledged local users (root or CAP_SYS_ADMIN) to escalate privileges. This depends on permission to execute eBPF system call.
Statement: This flaw is rated as having Moderate impact as eBPF requires a privileged user on Red Hat Enterprise Linux to correctly load eBPF instructions that can be exploited.
Mitigation: To exploit this flaw, an attacker would need to be a privileged user. The eBPF JIT can not be disabled in the versions of the kernel that ship with RHEL9. Preventing unprivileged users from becoming root or CAP_SYS_ADMIN , would be enough to prevent an attacker from successfully exploiting this flaw.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1947631]
The following options does not work in Fedora 33: [root@test ~]# sysctl net.core.bpf_jit_enable=0 sysctl: setting key "net.core.bpf_jit_enable": Invalid argument [root@test ~]# echo 0 > /proc/sys/net/core/bpf_jit_enable -bash: echo: write error: Invalid argument I think it has something to do with the kernel build option CONFIG_BPF_JIT_ALWAYS_ON=y
Upstream fix https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=e4d4d456436bfb2fe412ee2cd489f7658449b098
Yeah, it looks like CONFIG_BPF_JIT_ALWAYS_ON=y is the default for el7 and el8. This mitigation isn't going to work. Fortunately, it's still behind a privileged user requirement to execute eBPF.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3327 https://access.redhat.com/errata/RHSA-2021:3327
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3328 https://access.redhat.com/errata/RHSA-2021:3328
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-29154
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988