10
A few days ago the news was released that Two vulnerabilities were identified in the Linux Kernel the first of them already cataloged as CVE-2022-0435 and was found in the Linux kernel module that provides the operation of the TIPC (Transparent Inter-Process Communication) network protocol.
This vulnerability could allow code to run at kernel level by sending a packet to a specially designed network.
The problem only affects systems with the tipc.ko kernel module loaded and configured with the TIPC stack, which is typically used in clusters and is not enabled by default on non-specialized Linux distributions.
Vulnerability it is caused by a stack overflow that occurs when processing packets, the value of the field with the number of member nodes of the domain in which it exceeds 64.
To store the parameters of the nodes in the tipc.ko module, an array sets "u32 members[64 ]", but in the process of processing what is specified in the package. The node number does not check the "member_cnt" value, which allows values greater than 64 to be used for controlled overwriting of data in the memory area below. the stack after the "dom_bef" structure.
The TIPC protocol was originally developed by Ericsson, it is designed to organize communication between processes in a cluster and is activated mainly on the nodes of the cluster. TIPC can work over both Ethernet and UDP (network port 6118).
When working over Ethernet, an attack can be made from the local network, and when using UDP, from the global network, if the port is not covered by a firewall. The attack can also be carried out by a local user without privileges on the host. To enable TIPC, you must load the tipc.ko kernel module and configure binding to a network interface using netlink or the tipc utility.
It is mentioned that when building the kernel in "CONFIG_FORTIFY_SRC=y" mode (used in RHEL), which adds additional bounds checks to the memcpy() function, operation is limited to an emergency stop (kernel goes into “Kernel Panic” state).
If it is run without additional checks and information about the canary flags used to protect the stack is leaked, the issue can be used to remotely execute code with kernel rights. The researchers who identified the issue say the exploit technique is trivial and will be revealed after the widespread removal of the vulnerability in distributions.
The bug that generated the vulnerability was introduced on June 15, 2016 and became part of the Linux 4.8 kernel. vulnerability fixed in kernel versions Linux 5.16.9, 5.15.23, 5.10.100, 5.4.179, 4.19.229, 4.14.266 and 4.9.301.
Another vulnerability which was found in the Linux kernel is CVE-2022-24122 in the code to handle rlimit constraints in different user namespaces.
The bug was introduced in a change added in Summer 2021, moving the implementation of some RLIMIT counters to use the "ucounts" structure. The "ucounts" objects created for RLIMIT continued to be used after freeing the memory allocated for them (use-after-free) by removing the namespace associated with them, which made it possible to achieve kernel-level execution of their code.
Exploitation of the vulnerability by an unprivileged user is only possible if the system has unprivileged access to the user identifier namespace (unprivileged user namespace), which is enabled by default in Ubuntu and Fedora. , but not enabled on Debian and RHEL.
As a workaround to block the vulnerability, you can disable unprivileged access to the user's namespace:
sysctl -w kernel.unprivileged_userns_clone=0
The problem has been around since Linux kernel 5.14 and will be fixed in the 5.16.5 and 5.15.19 updates. The stable branches of Debian, Ubuntu, SUSE/openSUSE and RHEL are not affected by the issue, but appear in new Fedora and Arch Linux kernels.