Security researcher Aaron Adams found a use-after-free bug in the Linux kernel that could allow local users to become superusers. The bug affects the NFTables kernel component, which is active by default on most Linux systems and is a further development of Linux’s own iptables firewall.
For an attack to be successful, an attacker needs a local user on the target system who must also be able to create their own NFTables namespaces. However, this setting is enabled by default, at least on current Ubuntu systems. In his message on the OSS Security mailing list, Adams also provides a proof-of-concept exploit (PoC).
Exploit code for nftables bugs
With this code example, the vulnerability on a system with Ubuntu 22.04 can be successfully exploited for root access, explains the security researcher. However, we could not confirm this in our own tests.
Apparently due to a misunderstanding, the bug received two CVE IDs, namely CVE-2022-1966 and CVE-2022-32250. However, the ID CVE-1022-1966 originally assigned by Red Hat should prevail. The severity of the vulnerability in the form of a CVSS score has not yet been determined, but the maintainers of Ubuntu and Red Hat rate it as “high”.
The developers of the Linux kernel have already fixed the bug in the source code, but at the time of the report no update packages had been released by any distribution. However, administrators of multi-user systems should act now to prevent attacks from malicious users.
The Ubuntu IT specialists explain that two sysctl commands can help with their own distributions. This will cause users to lose the ability to create NFTables namespaces, which should prevent exploitation of the vulnerability. However, the authors of Ubuntu do not write anything about possible side effects in their security advisory:
$sudo sysctl -w kernel.unprivileged_user_clone=0
$ echo kernel.unprivileged_userns_clone=0 | sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf
Since most systems have such configuration files, it should work there as well. If necessary, administrators should check whether the file /etc/sysctl.d/99-disable-unpriv-userns.conf is present and adjust the line if necessary.
To home page
#Bug #Linux #kernel #privilege #escalation