The security company Sophos has found a new security hole in the Linux netfilter firewall program, which is used for controlling two-way access for the Linux network stack. Linux netfilter is related to nftables, firewalld, and ufw; which makes it a crucial component to be safe.
From 5.4 to 5.6.10
The vulnerability affects the Linux kernel versions from 5.4 to 5.6.10 and it can be tracked with CVE-2022-25636, with a CVSS score of 7.8. A Red Hat advisory regarding the bug summarizes the possible risk as “This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat”.
The security hole is discovered by Nick Gregory from Sophos while investigating possible vulnerabilities in the netfilter. It is a heap out-of-bounds write flaw with the kernel’s netfilter. The flaw is exploitable to achieve kernel code execution via ROP to give full local privilege escalation, container escape, and more. Gregory states that while he was checking nf_dup_netdev.c file, he noticed the following code in line 67:
entry = &flow->rule->action.entries[ctx->num_actions++];
Following a series of questions like the determining factor of action.entries array, how the nft_fwd_dup_netdev_offload called, how many times it is called, and how/when ctx is called, and some more effort in tracing, he noticed that there is indeed a bug in the code. Then he managed to exploit it although the success rate of the exploitations sat at about 30% all the time.
A security patch is expected for all of the Linux distributions affected soon. To mitigate the possible outcomes of the bug, you can use the following commands:
Mitigation for Red Hat Enterprise Linux
echo 0 > /proc/sys/user/max_user_namespaces
sudo sysctl --system
Mitigation for Debian and Ubuntu-based distributions
sudo sysctl kernel.unprivileged_userns_clone=0
You can read the full documentation by using the following link: