A vulnerability (CVE-2022-1972) has been identified in the Netfilter kernel subsystem, similar to the issue disclosed at the end of May. The new vulnerability also allows a local user to gain root rights in the system through manipulation of the rules in nftables and requires access to nftables in order to carry out an attack, which can be obtained in a separate namespace (network namespace or user namespace) with CLONE_NEWUSER, CLONE_NEWNS or CLONE_NEWNET rights (for example , if it is possible to run an isolated container).
The issue is caused by a bug in the code for handling setlists with fields that include multiple ranges, and results in an out-of-bounds write when handling specially-styled list options. The researchers managed to prepare a working exploit to obtain root privileges in Ubuntu 21.10 with kernel 5.13.0-39-generic. Vulnerability is shown since kernel 5.6. The fix is ββoffered as a patch. To block the exploitation of the vulnerability in normal systems, you should make sure that the ability to create namespaces by unprivileged users is disabled ("sudo sysctl -w kernel.unprivileged_userns_clone=0").
In addition, information about three vulnerabilities in the kernel related to the NFC subsystem has been published. Vulnerabilities can cause a crash through the execution of actions by an unprivileged user (more dangerous attack vectors have not yet been demonstrated):
- CVE-2022-1734 - Access to already freed memory (use-after-free) in the nfcmrvl driver (drivers/nfc/nfcmrvl), which manifests itself when simulating an NFC device in user space.
- CVE-2022-1974 - Access to already freed memory in netlink functions for NFC devices (/net/nfc/core.c), which occurs when registering a new device. Like the previous vulnerability, the problem can be exploited by simulating an NFC device in user space.
- CVE-2022-1975 is a bug in NFC firmware download code that can be used to trigger a "panic" condition.
Source: opennet.ru