CVE-2024-2313

Vulnerability

In bpftrace and bcc, when kernel headers need to be extracted, the tool attempts to load them from a temporary directory. Prior to commit 4be4b7191acb8218240e6b7178c30fa8c9b59998, bpftrace did not verify the ownership of the extracted kernel headers. An unprivileged attacker could create a malicious kernel headers file in the expected temporary path, leading bcc to load compromised headers. The issue affects bpftrace versions prior to the fix. Linux distributions that provide kernel headers by default are not affected by default. [1]

Exploitation

An attacker needs unprivileged access to the system where bpftrace is executed. The attacker must be able to write to the temporary directory used by bpftrace (typically /tmp/kheaders-*). When bpftrace runs and triggers kernel header extraction (e.g., when kernel headers are not already present), it will use the attacker-controlled headers instead of the genuine ones from /sys/kernel/kheaders.tar.xz. The attacker does not require elevated privileges; only the ability to create files or directories in the temporary path. [1]

Impact

By loading malicious kernel headers, the attacker can cause bpftrace to process arbitrary code or data during kernel header parsing. This can lead to arbitrary code execution in the context of the bpftrace process, information disclosure, or denial of service. The exact impact depends on the crafted headers but could allow the attacker to escalate privileges or compromise system integrity. [1]

Mitigation

The fix is available in commit 4be4b7191acb8218240e6b7178c30fa8c9b59998 of the bpftrace repository. It adds checks that verify the extracted kernel headers file is owned by root before using it. Users should update bpftrace to a version that includes this commit. Workarounds include ensuring the temporary directory is not writable by unprivileged users, or using distributions that provide kernel headers separately. There is no evidence of active exploitation or CISA KEV listing at this time. [1]