Recently, the news was released that several vulnerabilities classified as dangerous were detected in linux kernel and that allow a local user to elevate their privileges on the system.
The first of the vulnerabilities is CVE-2022-0995 and is present in the event tracking subsystem “watch_queue” and this causes data to be written to an area of kernel memory outside of the allocated buffer. The attack can be carried out by any user without privileges and have their code executed with kernel privileges.
The vulnerability is present in the watch_queue_set_size() function and is associated with an attempt to clear all pointers from the list, even if they have not been allocated memory. The problem manifests itself when building the kernel with the "CONFIG_WATCH_QUEUE=y" option, which is used by most Linux distributions.
It is mentioned that the vulnerability it was solved in a change added to kernel on March 11.
The second vulnerability that was disclosed is the CVE-2022-27666 what is present in kernel modules esp4 and esp6 that implement Encapsulating Security Payload (ESP) transformations for IPsec that is used when using both IPv4 and IPv6.
Vulnerability allows a local user with normal privileges to overwrite objects in kernel memory and elevate their privileges in the system. The problem is due to a mismatch between the size of the allocated memory and the data actually received, since the maximum size of the message could exceed the maximum size of the allocated memory for the skb_page_frag_refill structure.
It is mentioned that the vulnerability was fixed in the kernel on March 7 (fixed in 5.17, 5.16.15, etc.), plus a working prototype has been published from an exploit that allows a normal user to gain root access on Ubuntu Desktop 21.10 in default settings on GitHub.
It is stated that with minor changes, the exploit will also work on Fedora and Debian. It should be noted that the exploit was originally prepared for the pwn2own 2022 competition, but the associated bug was identified and fixed by the kernel developers, so it was decided to disclose the details of the vulnerability.
Other vulnerabilities that were disclosed are the CVE-2022-1015 y CVE-2022-1016 in the netfilter subsystem in the nf_tables module which feeds the nftables packet filter. The researcher who identified the issues announced the preparation of working exploits for both vulnerabilities, which are planned to be released a few days after distributions release kernel package updates.
the first problem allows an unprivileged local user to achieve an out-of-bounds write to the stack. An overflow occurs in the processing of well-formed nftables expressions that are processed during the validation phase of indexes provided by a user who has access to the nftables rules.
The vulnerability is due to the fact that the developers implied that the value of "enum nft_registers reg" is one byte, while when certain optimizations are enabled, the compiler, according to specification C89, you can use a 32 bit value for it. Due to this quirk, the size used to check and allocate memory does not correspond to the actual size of the data in the structure, leading to tailing of the structure on stack pointers.
The problem can be exploited to execute code at the kernel level, but a successful attack requires access to nftables.
They can be obtained in a separate network namespace (network namespaces) with CLONE_NEWUSER or CLONE_NEWNET rights (for example, if you can run an isolated container). The vulnerability is also closely related to the optimizations used by the compiler, which, for example, are enabled when compiling in "CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y" mode. Exploitation of the vulnerability is possible as of Linux kernel 5.12.
The second vulnerability in netfilter occurs when accessing a memory area already freed (use-after-free) in the nft_do_chain driver and can cause a leak of uninitialized kernel memory areas that can be read by manipulating with nftables expressions and used, for example, to determine pointer addresses during development exploits for other vulnerabilities. Exploitation of the vulnerability is possible as of Linux kernel 5.13.
The vulnerabilities were fixed in the recently released corrective Kernel updates.