Several dangerous vulnerabilities have been identified in the Linux kernel that allow a local user to elevate their privileges in the system. For all the problems under consideration, working prototypes of exploits have been prepared.
- Vulnerability (CVE-2022-0995) in the watch_queue event tracking subsystem that causes data to be written to a kernel memory area outside the allocated buffer. The attack can be carried out by any unprivileged user and cause their code to run with kernel rights. The vulnerability is present in the watch_queue_set_size() function and is associated with an attempt to clear all pointers in the list, even if memory has not been allocated for them. The problem manifests itself when building the kernel with the "CONFIG_WATCH_QUEUE=y" option, which is used in most Linux distributions.
The vulnerability was fixed in a change added to the core on March 11th. You can follow the publication of package updates in distributions on these pages: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. The exploit prototype is already publicly available and allows root access when running on Ubuntu 21.10 with kernel 5.13.0-37.
- Vulnerability (CVE-2022-27666) in the esp4 and esp6 kernel modules implementing Encapsulating Security Payload (ESP) transforms for IPsec used when using IPv4 and IPv6. The vulnerability allows a local user with normal privileges to overwrite objects in kernel memory and elevate their privileges on the system. The problem is caused by a lack of reconciliation between allocated memory size and actually received data, while the maximum message size could exceed the maximum memory size allocated for the skb_page_frag_refill structure.
The vulnerability was fixed in the kernel on March 7 (fixed in 5.17, 5.16.15, etc.). You can follow the publication of package updates in distributions on these pages: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. A working prototype of an exploit that allows a normal user to get root access to Ubuntu Desktop 21.10 in the default configuration is already hosted on GitHub. It is claimed that with minor changes, the exploit will also work on Fedora and Debian. It is noteworthy that the exploit was originally prepared for the pwn2own 2022 competition, but the kernel developers identified and fixed the error associated with it, so it was decided to disclose the details of the vulnerability.
- Two vulnerabilities (CVE-2022-1015, CVE-2022-1016) in the netfilter subsystem in the nf_tables module that powers the nftables packet filter. The first problem allows a local non-privileged user to achieve an out-of-bounds write on the stack. An overflow occurs in the processing of well-formed nftables expressions that are processed during the validation phase of indexes given by a user who has access to nftables rules.
The vulnerability is caused by the fact that the developers assumed that the value of "enum nft_registers reg" is one byte, while when certain optimizations are enabled, the compiler, in accordance with the C89 specification, can use a 32-bit value for it. Due to this peculiarity, the size used for checking and allocating memory does not correspond to the actual size of the data in the structure, which leads to the imposition of the tail of the structure on the pointers on the stack.
The problem can be exploited to execute your code at the kernel level, but a successful attack requires access to nftables, which can be obtained in a separate network namespace (network namespaces) with CLONE_NEWUSER or CLONE_NEWNET rights (for example, if you can run an isolated container). The vulnerability is also closely related to the optimizations used by the compiler, which, for example, are enabled when building in the "CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y" mode. Exploitation of the vulnerability is possible starting from the Linux kernel 5.12.
The second vulnerability in netfilter is caused by accessing an already freed memory area (use-after-free) in the nft_do_chain handler and can lead to a leak of uninitialized kernel memory areas that can be read through manipulations with nftables expressions and used, for example, to determine pointer addresses during development exploits for other vulnerabilities. Exploitation of the vulnerability is possible starting from the Linux kernel 5.13.
The vulnerabilities were fixed in today's corrective kernel updates 5.17.1, 5.16.18, 5.15.32, 5.10.109, 5.4.188, 4.19.237, 4.14.274 and 4.9.309. You can follow the publication of package updates in distributions on these pages: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. The researcher who identified the problems announced the preparation of working exploits for both vulnerabilities, which are planned to be published in a few days, after distributions release updates to the kernel packages.
Source: opennet.ru