Security vulnerability: Linux kernel memory corruption vulnerabilities exploitable through the SLUBStick technique

For a comprehensive list of affected products please review the respective mentioned SUSE security announcements below.

Researchers from the Graz University of Technology have recently released a paper in which they present how they were able to take heap memory corruption vulnerabilities and memory allocation flaws in the Linux kernel, such as out-of-bounds writes, use-after-frees and double-frees, and, together with a sophisticated multiple-stage technique developed by them, use such vulnerabilities to achieve arbitrary read and write capabilities in a vulnerable system. Threat actors can, therefore, use such technique to leverage what would otherwise be limited read and write capabilities yielding results with small impact into attacks that can gravely compromise a system.

The SLUBstick technique achieves such an objective by manipulating the Linux kernel's SLUB memory allocator in specific ways. This allows an attacker to perform reliable cross-cache attacks that deliver better results than other known techniques, which would usually only lead to system crashes rather than allow for code execution. This reliability improvement comes from the timing side-channel approach proposed by the researchers. A memory corruption vulnerability can then be transformed into a page table entry rewrite, which, in turn, allows an attacker to map any physical memory in the system into their address space, giving them the arbitrary read and write capabilities that can lead to other more serious consequences.

To successfully exploit a vulnerability through the use of the SLUBStick technique, an attacker needs local access to the target machine, as well as privileges that would allow them to execute code in this same machine. Finally, the Linux kernel in such machine must contain an unpatched heap memory corruption vulnerability that could be exploited.

There were nine already existing CVEs that were used by the researchers to demonstrate the applicability of this technique to the Linux kernel, more specifically, to versions v5.19 and v6.2. (see for reference: CVE-2023-21400, CVE-2023-3609, CVE-2022-32250, CVE-2022-29582, CVE-2022-27666, CVE-2022-2588, CVE-2022-0995, CVE-2021-4157, CVE-2021-3492).

SUSE products (both under general and under LTSS support) that could potentially be attacked through the use of the SLUBStick technique have already been fixed for the related vulnerabilities, and, therefore, no longer are at a risk when it comes to the example cases presented in the research.
SUSE is also taking continuous action to fix memory corruption vulnerabilities affecting the Linux kernel as they are reported. In this way, SUSE products stay hardened and protected against any additional vulnerabilities that might be exploitable through the SLUBStick technique.
Keeping systems updated with the latest kernel patches should provide sufficient protection against this issue.

Security Alert

SLUBStick is not a security vulnerability in itself, it is a technique that makes exploitation of other vulnerabilities
easier. Hence SLUBStick is not assigned a CVE number and mitigation happens through fixing other vulnerabilities that could be potentially exploited by this technique.