There is another vulnerability has been identified in the Linux Kernel a few days after disclosing the Dirty Pipe Vulnerability. A senior threat researcher, Nick Gregory from Sophos, has disclosed this flaw in the Netfilter module that provides firewall, NAT, and packet mangling services to Linux Kernel. The flaw has been tracked as CVE-2022-25636 has a base score of 7.8 as per the CVSS3.1 scoring system. The successful exploitation of the flaw could let attackers achieve kernel code execution (via ROP), giving full local privilege escalation, container escape, whatever they want to do. This is important for all Linux users to know about this vulnerability. Let’s see How to Fix CVE-2022-25636- A Heap Out of Bounds Write Vulnerability in Netfilter.
What Is Netfilter?
Netfilter is a network framework project driven by Free and Open-Source Software. Basically, it provides various network security features, including Firewalling, NAT(PAT), Packet filtering, packet logging, userspace packet queueing, and other packet manglings to the Linux Kernel v2.4.x and later. Netfilter is directly associated with iptables and nftables, which are well-known firewall utilities on the Linux platform.
Some if its main features are:
- stateless packet filtering (IPv4 and IPv6)
- stateful packet filtering (IPv4 and IPv6)
- all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 and IPv6)
- flexible and extensible infrastructure
- multiple layers of API’s for 3rd party extensions
Summary Of CVE-2022-25636- A Heap Out Of Bounds Write Vulnerability In Netfilter:
Research says that the flaw is due to improper handling of hardware offload feature in the Netfilter framework. The flaw allows local attackers to gain access to out-of-bounds memory and allows them to perform denial-of-service (DoS), privilege escalation, and arbitrary code execution attacks on the vulnerable system. To exploit this vulnerability, attackers should have a local user account with low privilege on the system.
| Associated CVE ID | CVE-2022-25636 |
| Description | A Heap Out of Bounds Write Vulnerability in Netfilter |
| Associated ZDI ID | – |
| CVSS Score | 7.8 High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Impact Score | 5.9 |
| Exploitability Score | 1.8 |
| Attack Vector (AV) | Local |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | Low |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
Kernel Versions Vulnerable To The CVE-2022-25636 Flaw:
This vulnerability affects Linux kernel versions from 5.4 to 5.6.10. Well, the vulnerability has been tested on Ubuntu 21.10 with kernel 5.13.0-30. The result says that sometimes it worked, and sometimes it threw a Kernel Panic. It’s still unclear about the actual versions of the kernel that are affected by the CVE-2022-25636 vulnerability (A Heap Out of Bounds Write Vulnerability in Netfilter).
How To Fix CVE-2022-25636- A Heap Out Of Bounds Write Vulnerability In Netfilter?
We hope this flaw is fixed in the coming versions. However, until there is a fix available, you can apply mitigation for this Heap Out of Bounds Write Vulnerability in the Netfilter module.
To mitigate this issue, you need to disable unprivileged user namespaces to restrict access to privileged users. This could be done either any of the ways:
Method 1: Write ‘0’ in /proc/sys/user/max_user_namespaces file.
$ sudo echo 0 > /proc/sys/user/max_user_namespaces
Reload the system configuration files to write this configuration permanently.
$ sudo sysctl --system
Method 2: Set the kernel.unprivileged_userns_clone sysctl to 0
$ sudo sysctl kernel.unprivileged_userns_clone=0
How To Upgrade Kernel To The Latest Version?
How to Upgrade Kernel to v5.17?
Note: Before you download and install it on your production server, we recommend testing this on a test machine. Don’t forget to take the full VM snapshot if are upgrading the kernel on a Virtual Image. Or, take filesystem back up if you have a physical server.
- Check the kernel version
Before you start upgradation, check the version of the kernel your server has. What if the kernel version is not in the list of affected versions, If so, you can schedule this later as per your time.
Run this command to check the kernel version.
$ uname -rs
- Download kernel modules 5.17
Download the kernel packages directly from the kernel.ubuntu.com website. Download the latest version available (At the bottom) from the website to a dedicated directory. Change the permission of the files to execute.
Create a directory in your path:
$ mkdir /home/arunkl/kernel-5.17
Change the directory:
$ cd /home/arunkl/kernel-5.17/
Download these two files (where X.Y.Z is the highest version):
1. linux-image-*X.Y.Z*-generic-*.deb
2. linux-modules-X.Y.Z*-generic-*.deb
Commands to download the kernel v5.17
$ wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.17-rc7/amd64/linux-image-unsigned-5.17.0-051700rc7-generic_5.17.0-051700rc7.202203062330_amd64.deb
$ wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.17-rc7/amd64/linux-modules-5.17.0-051700rc7-generic_5.17.0-051700rc7.202203062330_amd64.deb
Run this command to set the files permission to execution mode:
$ chmod +x *.deb
- Install kernel module 5.17
Install the downloaded packages using the default dpkg utility then reboot the server.
$ sudo dpkg –install *.deb
$ reboot - Check the kernel version after reboot
Use the same command used in the first step. You will see an upgraded kernel version if everything goes well.
$ uname -rs
We hope this post would help you know How to Fix CVE-2022-25636- A Heap Out of Bounds Write Vulnerability in Netfilter. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
