Security bug in Linux kernel netfilter lets attackers gain root access

Security bug in Linux kernel netfilter lets attackers gain root access

Image:
Security bug in Linux kernel netfilter lets attackers gain root access

The vulnerability affects Linux kernel versions 5.4 through 5.6.10

Sophos researcher Nick Gregory has uncovered a dangerous security bug in Linux's netfilter application which could enable a local attacker to escalate privileges on vulnerable machines and carry out a variety of malicious activities, including executing arbitrary code.

Netfilter is a critical Linux security program that allows users to carry out a number of networking-related operations, including packet filtering, port and network address translation, packet logging and userspace packet queueing.

The security flaw discovered by Gregory is tracked as CVE-2022-25636 and it affects Linux kernel versions 5.4 through 5.6.10.

The bug is rated 7.8 out of 10 on the CVSS scale and, according to Gregory, it is the result of a heap out-of-bounds write issue within the netfilter subcomponent.

Because of this issue, it is possible to get kernel code execution through return-oriented programming (ROP), allowing for complete local privilege escalation as well as container escape, among other things.

This issue arises because netfilter fails to correctly handle its hardware offload functionality. As a result, a local, unprivileged attacker could exploit the weakness to cause a denial-of-service (DoS), run arbitrary code, and other malicious activities.

The vulnerability works even if the hardware being targeted doesn't have the offload feature.

"An out-of-bounds (OOB) memory access flaw was found in nft_fwd_dup_netdev_offload in net/netfilter/nf_dup_netdev.c in the netfilter subcomponent in the Linux kernel due to a heap out-of-bounds write problem," Red Hat said in an advisory.

"This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat."

The bug affects most recent major distribution releases, including Red Hat Enterprise Linux (RHEL) 8.x; Ubuntu Linux, and SUSE Linux Enterprise 15.3, and Debian Bullseye.

While the Linux kernel netfilter patch has been developed, the patch is not yet available in all distribution releases.

However, the issue can be mitigated for the Red Hat Enterprise Linux 8 by disabling for unprivileged user the possibility of running unshare(CLONE_NEWUSER) or unshare(CLONE_NEWNET) that could be done with the command:

echo 0 > /proc/sys/user/max_user_namespaces

If deactivating user namespaces is not possible, the alternative mitigation for containers is to block the pertinent syscalls in a seccomp policy file.

Earlier this month, a researcher disclosed details of the now-patched 'Dirty Pipe' vulnerability in the Linux kernel, which an attacker could take advantage of to write any data into an arbitrary file and elevate privileges as a result.

That bug, tracked as CVE-2022-0847, allows a non-privileged user to inject and overwrite data in read-only files, according to IONOS software developer Max Kellermann, who discovered it in April 2021.

In January, researchers at Qualys disclosed details of PwnKit Linux bug, which could enable an attacker to gain full root privileges on the system if they have access to a regular user account without admin privileges.

Tracked as CVE-2021-4034, this bug existed in the pkexec component of Polkit system utility, which is used in all major Linux distributions, including Ubuntu, CentOS, Debian and Fedora.

The flaw was reported to Linux vendors in November last year, following which patches were issued by Debian, Red Hat, and Ubuntu.