Exploitable vulnerabilities in nf_tables, watch_queue and IPsec have been identified in the Linux kernel
March 29, 2022
Several dangerous vulnerabilities have been identified in the Linux kernel that allow a local user to increase their privileges in the system. Working prototypes of exploits have been prepared for all the problems under consideration.
Vulnerability (CVE-2022-0995) in the watch_queue event tracking subsystem, which leads to the possibility of writing data in the kernel memory area beyond the allocated buffer limit. The attack can be committed by any unprivileged user and lead to the launch of their code with kernel rights. The vulnerability is present in the watch_queue_set_size() function and is associated with an attempt to clear all pointers in the list, even if no memory has been allocated for them. The problem manifests itself when building the kernel with the option "CONFIG_WATCH_QUEUE=y", which is used in most Linux distributions.
The vulnerability was fixed in a change added to the kernel on March 11. You can follow the publication of package updates in distributions on these pages: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. The prototype of the exploit is already publicly available and allows you to get root access when running on Ubuntu 21.10 with kernel 5.13.0-37.
Vulnerability (CVE-2022-27666) in the esp4 and esp6 kernel modules with the implementation of ESP transformations (Encapsulating Security Payload) for IPsec used when using IPv4 and IPv6. The vulnerability allows a local user with normal privileges to overwrite objects in the kernel memory and increase their privileges in the system. The problem is caused by the lack of reconciliation of the allocated memory size and the data actually received, despite the fact that the maximum message size could exceed the maximum memory size allocated for the skb_page_frag_refill structure.
The vulnerability was fixed in the Linux kernel updates on March 7 (fixed in 5.17, 5.16.15). You can follow the publication of package updates in distributions on these pages: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. A working prototype of the exploit that allows
CVE-2022-0995, CVE-2022-27666, CVE-2022-1015, CVE-2022-1016Priority:
Kernel CVEs are already actively tracked by our Kernel maintainer.
*** This bug has been marked as a duplicate of bug 30199 ***