SELinux Limits Kernel Module Loading

A new vulnerability has been identified in Selinux that allows for the bypassing of its protection system. The vulnerability lies in the restriction of the FINIT_MODULE system call, which blocks the loading of nucleus modules sold through Selinux using utilities such as Insmod. However, Selinux’s rules do not account for the system call init_module, which allows for the loading of kernel models directly from the buffer in memory.

To demonstrate the vulnerability, a prototype exploit has been prepared and made available on GitHub. The exploit enables code execution at the nucleus level through the loading of its module and can completely disconnect Selinux protection if there is a limited one using Selinux ROOT access to the system.

This vulnerability presents a significant threat, as it allows attackers to bypass Selinux and potentially access protected systems. We urge system administrators to patch their systems promptly to reduce the risk of attack.

/Reports, release notes, official announcements.