Another vulnerability in Linux Netfilter nucleus subsystem

In the nucleus subsystem Netfilter identified vulnerability ( cve-2022-1972 ), similar to the problem revealed in late May. The new vulnerability also allows the local user to obtain Root rights in the system through manipulations with the rules in NFTABles and requires an attack by access to NFTables, which can be obtained in a separate names or User Namespace) if Clone_newuser, clone_newns or Clonewns (for example. , if it is possible to start an isolated container).

The problem is caused by an error in the code for processing SET-list with fields, including several ranges, and leads to recording outside the selected memory area when processing specially designed list parameters. Researchers managed to prepare a working exploit for obtaining Root rights in Ubuntu 21.10 with the core 5.13.0-39-Generic. The vulnerability is manifested by from the kernel 5.6. Correction was proposed in the form of patch . To block the operation of vulnerability in ordinary systems, you should make sure that the possibility of creating the spaces of names are unheard of users (“Sudo Syssctl -Kernel.unprivileged_userns_clone = 0”).

In addition, information about three vulnerabilities in the nucleus associated with the NFC subsystem has been published. Vulnerabilities allow causing an emergency completion of work through the performance of actions by an unheard of the user (more dangerous attack vectors have not yet been demonstrated):

  • cve-2022-1734 -appeal to already released memory (use -AFTER-FREE in the NFCMRVL driver (Drivers/NFC/NFCMRVL), in the NFC device in the user space.
  • cve-2022-1974 -appeal to the already released memory in Netlink -functions for NFC devices (/net/nfc/core.c), manifested during the registration of a new device. Like the past vulnerability, the problem can be operated through the simulation of the NFC device in the user space.
  • cve-2022-1975 -error in the upload code for devices for devices NFC, which can be used to call the state “Panic”.
/Media reports.