• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2022-25636- A Heap Out Of Bounds Write Vulnerability In Netfilter
How to Fix CVE-2022-25636- A Heap Out of Bounds Write Vulnerability in Netfilter

There is another vulnerability has been identified in the Linux Kernel a few days after disclosing the Dirty Pipe Vulnerability. A senior threat researcher, Nick Gregory from Sophos, has disclosed this flaw in the Netfilter module that provides firewall, NAT, and packet mangling services to Linux Kernel. The flaw has been tracked as CVE-2022-25636 has a base score of 7.8 as per the CVSS3.1 scoring system. The successful exploitation of the flaw could let attackers achieve kernel code execution (via ROP), giving full local privilege escalation, container escape, whatever they want to do. This is important for all Linux users to know about this vulnerability. Let’s see How to Fix CVE-2022-25636- A Heap Out of Bounds Write Vulnerability in Netfilter.

What Is Netfilter?

Netfilter is a network framework project driven by Free and Open-Source Software. Basically, it provides various network security features, including Firewalling, NAT(PAT), Packet filtering, packet logging, userspace packet queueing, and other packet manglings to the Linux Kernel v2.4.x and later. Netfilter is directly associated with iptables and nftables, which are well-known firewall utilities on the Linux platform.
Some if its main features are:

  • stateless packet filtering (IPv4 and IPv6)
  • stateful packet filtering (IPv4 and IPv6)
  • all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 and IPv6)
  • flexible and extensible infrastructure
  • multiple layers of API’s for 3rd party extensions

Summary Of CVE-2022-25636- A Heap Out Of Bounds Write Vulnerability In Netfilter:

Research says that the flaw is due to improper handling of hardware offload feature in the Netfilter framework. The flaw allows local attackers to gain access to out-of-bounds memory and allows them to perform denial-of-service (DoS), privilege escalation, and arbitrary code execution attacks on the vulnerable system. To exploit this vulnerability, attackers should have a local user account with low privilege on the system.

Associated CVE IDCVE-2022-25636
DescriptionA Heap Out of Bounds Write Vulnerability in Netfilter
Associated ZDI ID
CVSS Score7.8 High
VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Impact Score5.9
Exploitability Score1.8
Attack Vector (AV)Local
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Kernel Versions Vulnerable To The CVE-2022-25636 Flaw:

This vulnerability affects Linux kernel versions from 5.4 to 5.6.10. Well, the vulnerability has been tested on Ubuntu 21.10 with kernel 5.13.0-30. The result says that sometimes it worked, and sometimes it threw a Kernel Panic. It’s still unclear about the actual versions of the kernel that are affected by the CVE-2022-25636 vulnerability (A Heap Out of Bounds Write Vulnerability in Netfilter).

How To Fix CVE-2022-25636- A Heap Out Of Bounds Write Vulnerability In Netfilter?

We hope this flaw is fixed in the coming versions. However, until there is a fix available, you can apply mitigation for this Heap Out of Bounds Write Vulnerability in the Netfilter module.
To mitigate this issue, you need to disable unprivileged user namespaces to restrict access to privileged users. This could be done either any of the ways:
Method 1: Write ‘0’ in /proc/sys/user/max_user_namespaces file.

$ sudo echo 0 > /proc/sys/user/max_user_namespaces

Reload the system configuration files to write this configuration permanently.

$ sudo sysctl --system

Method 2: Set the kernel.unprivileged_userns_clone sysctl to 0

$ sudo sysctl kernel.unprivileged_userns_clone=0

How To Upgrade Kernel To The Latest Version?

How to Upgrade Kernel to v5.17?

Note: Before you download and install it on your production server, we recommend testing this on a test machine. Don’t forget to take the full VM snapshot if are upgrading the kernel on a Virtual Image. Or, take filesystem back up if you have a physical server.

  1. Check the kernel version

    Before you start upgradation, check the version of the kernel your server has. What if the kernel version is not in the list of affected versions, If so, you can schedule this later as per your time.

    Run this command to check the kernel version.

    $ uname -rs

    Check the kernel version

  2. Download kernel modules 5.17

    Download the kernel packages directly from the kernel.ubuntu.com website. Download the latest version available (At the bottom) from the website to a dedicated directory. Change the permission of the files to execute.

    Create a directory in your path:

    $ mkdir /home/arunkl/kernel-5.17

    Change the directory:

    $ cd /home/arunkl/kernel-5.17/

    Download these two files (where X.Y.Z is the highest version):

    1. linux-image-*X.Y.Z*-generic-*.deb
    2. linux-modules-X.Y.Z*-generic-*.deb


    Commands to download the kernel v5.17

    $ wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.17-rc7/amd64/linux-image-unsigned-5.17.0-051700rc7-generic_5.17.0-051700rc7.202203062330_amd64.deb


    $ wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.17-rc7/amd64/linux-modules-5.17.0-051700rc7-generic_5.17.0-051700rc7.202203062330_amd64.deb


    Run this command to set the files permission to execution mode:

    $ chmod +x *.deb

    Download kernel modules 5.17

  3. Install kernel module 5.17

    Install the downloaded packages using the default dpkg utility then reboot the server.

    $ sudo dpkg –install *.deb
    $ reboot

    Install kernel module 5.17

  4. Check the kernel version after reboot

    Use the same command used in the first step. You will see an upgraded kernel version if everything goes well.

    $ uname -rs

    Check the kernel version after reboot

We hope this post will help you know How to Fix CVE-2022-25636- A Heap Out of Bounds Write Vulnerability in Netfilter. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.