Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Fix CVE-2022-25636- A Heap Out Of Bounds Write Vulnerability In Netfilter
March 15, 2022

How To Fix CVE-2022-25636- A Heap Out Of Bounds Write Vulnerability In Netfilter

How To Fix Cve 2022 25636 A Heap Out Of Bounds Write Vulnerability In Netfilter

There is another vulnerability has been identified in the Linux Kernel a few days after disclosing the Dirty Pipe Vulnerability. A senior threat researcher, Nick Gregory from Sophos, has disclosed this flaw in the Netfilter module that provides firewall, NAT, and packet mangling services to Linux Kernel. The flaw has been tracked as CVE-2022-25636 has a base score of 7.8 as per the CVSS3.1 scoring system. The successful exploitation of the flaw could let attackers achieve kernel code execution (via ROP), giving full local privilege escalation, container escape, whatever they want to do. This is important for all Linux users to know about this vulnerability. Let’s see How to Fix CVE-2022-25636- A Heap Out of Bounds Write Vulnerability in Netfilter.

What Is Netfilter?

Netfilter is a network framework project driven by Free and Open-Source Software. Basically, it provides various network security features, including Firewalling, NAT(PAT), Packet filtering, packet logging, userspace packet queueing, and other packet manglings to the Linux Kernel v2.4.x and later. Netfilter is directly associated with iptables and nftables, which are well-known firewall utilities on the Linux platform.Some if its main features are:

  • stateless packet filtering (IPv4 and IPv6)

  • stateful packet filtering (IPv4 and IPv6)

  • all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 and IPv6)

  • flexible and extensible infrastructure

  • multiple layers of API’s for 3rd party extensions

Summary Of CVE-2022-25636- A Heap Out Of Bounds Write Vulnerability In Netfilter:

Research says that the flaw is due to improper handling of hardware offload feature in the Netfilter framework. The flaw allows local attackers to gain access to out-of-bounds memory and allows them to perform denial-of-service (DoS), privilege escalation, and arbitrary code execution attacks on the vulnerable system. To exploit this vulnerability, attackers should have a local user account with low privilege on the system.

Associated CVE IDCVE-2022-25636
DescriptionA Heap Out of Bounds Write Vulnerability in Netfilter
Associated ZDI ID
CVSS Score7.8 High
Impact Score5.9
Exploitability Score1.8
Attack Vector (AV)Local
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
Confidentiality (C)High
Integrity (I)High
availability (a)High

Kernel Versions Vulnerable To The CVE-2022-25636 Flaw:

This vulnerability affects Linux kernel versions from 5.4 to 5.6.10. Well, the vulnerability has been tested on Ubuntu 21.10 with kernel 5.13.0-30. The result says that sometimes it worked, and sometimes it threw a Kernel Panic. It’s still unclear about the actual versions of the kernel that are affected by the CVE-2022-25636 vulnerability (A Heap Out of Bounds Write Vulnerability in Netfilter).

How To Fix CVE-2022-25636- A Heap Out Of Bounds Write Vulnerability In Netfilter?

We hope this flaw is fixed in the coming versions. However, until there is a fix available, you can apply mitigation for this Heap Out of Bounds Write Vulnerability in the Netfilter module.To mitigate this issue, you need to disable unprivileged user namespaces to restrict access to privileged users. This could be done either any of the ways:
Method 1: Write ‘0’ in /proc/sys/user/max_user_namespaces file.

$ sudo echo 0 > /proc/sys/user/max_user_namespaces

Reload the system configuration files to write this configuration permanently.

$ sudo sysctl --system

Method 2: Set the kernel.unprivileged_userns_clone sysctl to 0

$ sudo sysctl kernel.unprivileged_userns_clone=0

How To Upgrade Kernel To The Latest Version?

How to Upgrade Kernel to v5.17?

Note: Before you download and install it on your production server, we recommend testing this on a test machine. Don’t forget to take the full VM snapshot if are upgrading the kernel on a Virtual Image. Or, take the filesystem backup if you have a physical server.

Step 1. Check the kernel version

Before you start upgradation, check the version of the kernel your server has. What if the kernel version is not in the list of affected versions, If so, you can schedule this later as per your time.
Run this command to check the kernel version.

$ uname -rs

Step 2. Download kernel modules 5.17

Download the kernel packages directly from the website. Download the latest version available (At the bottom) from the website to a dedicated directory. Change the permission of the files to execute.
Create a directory in your path:

$ mkdir /home/arunkl/kernel-5.17

Change the directory:

$ cd /home/arunkl/kernel-5.17/

Download these two files (where X.Y.Z is the highest version):

1. linux-image-*X.Y.Z*-generic-*.deb
2. linux-modules-X.Y.Z*-generic-*.deb

Commands to download the kernel v5.17

$ wget

$ wget

Run this command to set the files permission to execution mode:

$ chmod +x *.deb

Step 3. Install kernel module 5.17

Install the downloaded packages using the default dpkg utility then reboot the server.

$ sudo dpkg –install *.deb
$ reboot

Step 4. Check the kernel version after reboot

Use the same command used in the first step. You will see an upgraded kernel version if everything goes well.

$ uname -rs

We hope this post helps you know How to Fix CVE-2022-25636- A Heap Out of Bounds Write Vulnerability in Netfilter. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription