A vulnerability (CVE-2022-25636) has been identified in Netfilter, a Linux kernel subsystem used to filter and modify network packets, that could allow code execution at the kernel level. An example of an exploit that allows a local user to elevate their privileges in Ubuntu 21.10 with the KASLR security mechanism disabled has been announced. The problem manifests itself starting with kernel 5.4. The fix is ββstill available as a patch (corrective kernel releases have not been formed). You can follow the publication of package updates in distributions on these pages: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux.
The vulnerability is caused by an error in calculating the size of the flow->rule->action.entries array in the nft_fwd_dup_netdev_offload function (defined in the net/netfilter/nf_dup_netdev.c file), which can result in attacker-controlled data being written to a memory area outside the bounds of the allocated buffer. The error manifests itself when setting the rules "dup" and "fwd" in chains for which hardware acceleration of packet processing (offload) is used. Since the overflow occurs before the creation of the packet filter rule and checking for offload support, the vulnerability is also applicable to network devices that do not support hardware acceleration, such as a loopback interface.
It is noted that the problem is quite simple to exploit, since values ββthat go beyond the buffer can overwrite the pointer to the net_device structure, and data about the overwritten value is returned to user space, which makes it possible to find out the addresses in memory necessary to carry out the attack. Exploitation of the vulnerability requires the creation of certain rules in nftables, which is only possible with CAP_NET_ADMIN privileges, which can be obtained by an unprivileged user in a separate network namespace (network namespaces). The vulnerability could also be used to attack container isolation systems.
Source: opennet.ru