New Linux Bug in Netfilter Firewall Module Lets Attackers Gain Root Access

A newly disclosed security flaw in the Linux kernel could be
leveraged by a local adversary to gain elevated privileges on
vulnerable systems to execute arbitrary code, escape containers, or
induce a kernel panic^[1].

Tracked as CVE-2022-25636^[2]
(CVSS score: 7.8), the vulnerability impacts Linux kernel versions
5.4 through 5.6.10 and is a result of a heap out-of-bounds write in
the netfilter subcomponent in the kernel. The issue was discovered^[3]
by Nick Gregory, a research scientist at Capsule8.

“This flaw allows a local attacker with a user account on the
system to gain access to out-of-bounds memory, leading to a system
crash or a privilege escalation threat,” Red Hat said^[4]
in an advisory published on February 22, 2022. Similar alerts have
been released by Debian^[5], Oracle Linux^[6], SUSE^[7], and Ubuntu^[8].

Netfilter is a framework^[9]
provided by the Linux kernel that enables various
networking-related operations, including packet filtering, network
address translation, and port translation.

Specifically, CVE-2022-25636 relates to an issue with incorrect
handling of the framework’s hardware offload
feature^[10] that could be
weaponized by a local attacker to cause a denial-of-service (DoS)
or possibly execute arbitrary code.

“Despite being in code dealing with hardware offload, this is
reachable when targeting network devices that don’t have offload
functionality (e.g. lo) as the bug is triggered before the rule
creation fails.” Gregory said^[11]. “Additionally, while
nftables requires CAP_NET_ADMIN, we can unshare into a new network
namespace to get this as a (normally) unprivileged user.”

“This can be turned into kernel [return-oriented programming^[12]]/local privilege
escalation without too much difficulty, as one of the values that
is written out of bounds is conveniently a pointer to a net_device
structure,” Gregory added.