There is another vulnerability found in Linux Kernel. Selim Enes Karaduman, a security researcher (@Enesdex) who disclosed this vulnerability, says that the flaw being tracked as CVE-2022-2959 allows attackers to perform privilege escalation attacks and even crash the system. Let’s see the Kernel versions affected by the flaw, its impact if exploited, and finally, how to fix CVE-2022-2959- a privilege escalation vulnerability in Linux Kernel.
Summary of CVE-2022-2959
This is a local privilege escalation vulnerability in Linux Kernel that is tracked under CVE ID CVE-2022-2959 and has been assigned the CVSS score of 7.8 out of 10. The flaw stemmed due to improper handling of pipe buffers. This flaw allows a local user (with access to a vulnerable privileged driver) who can execute low-privileged code on the target system to trigger a notification in the watch queue by calling ost_one_notification() and accessing the freed pipe buffer. This would give way for a local, unprivileged user to execute a code as a privileged user.
According to an advisory published by RedHat, “A race condition was found in the Linux kernel’s watch queue due to a missing lock in the pipe_resize_ring(). The race condition occurs when a thread uses ioctl(IOC_WATCH_QUEUE_SET_SIZE) to resize the pipe buffer and free the old pipe buffer, while another thread uses keyctl() to trigger a notification in the watch queue, calling post_one_notification() and accessing the freed pipe buffer.”
The flaw can’t be exploited remotely. The advisory should have local access to the victim machine to exploit the vulnerability.
|Associated CVE ID||CVE-2022-2959|
|Description||A Privilege Escalation Vulnerability in Linux Kernel|
|Associated ZDI ID||–|
|CVSS Score||7.0 Medium|
|Attack Vector (AV)||Local|
|Attack Complexity (AC)||High|
|Privilege Required (PR||Low|
|User Interaction (UI)||None|
Linux Kernel Version Affected by CVE-2022-2959
The flaw affects Kernel v5.18. A popular server-side Linux distribution, RedHat clarified in its security advisory that this vulnerability doesn’t affect Red Hat Enterprise Linux 6, 7, and 8 since they did not include support for a general notification queue such as watch queue.
Please have the advisories published by other popular Linus distributions hare:
- RedHat: https://access.redhat.com/security/cve/CVE-2022-2959
- SUSU: https://www.suse.com/es-es/security/cve/CVE-2022-2959.html
- Debian: https://security-tracker.debian.org/tracker/CVE-2022-2959
How to Fix CVE-2022-2959- A Privilege Escalation Vulnerability in Linux Kernel?
A code is published on GitHub public repository, which says, “The occupancy check must be done after the lock is taken, and the lock must be taken after the new ring is allocated.” to overcome this Privilege Escalation Vulnerability in Linux Kernel. However, there are no updates seen available from Kernel moderators to fix the vulnerability. We think that it may take more time to research this vulnerability and release an official patch. Until then, if you want to implement it on your own, you can try it out.
We hope this post will help you know how to fix CVE-2022-2959- a privilege escalation vulnerability in Linux Kernel. Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.