This week, we’ll discuss high-severity vulnerabilities in the Linux kernel.
Dirty Pipe – Linux Local Privilege Escalation
CVE-2022-0847 allows an unprivileged Linux user to overwrite any arbitrary read-only file. A user could leverage this vulnerability by injecting code into root processes and escalate their privileges into becoming a root user.
Similar to the ubiquitous “Dirty Cow” vulnerability, an attacker can run the Dirty Pipe exploit and write text to a file. What makes Dirty Pipe an easier flaw to exploit is that a user can write text to any arbitrary file and in some cases they can easily escalate privileges via SUID binaries.
Root Cause – The Dirty Pipe vulnerability is caused by an uninitialized pipe_buffer.flags variable. Pipes are tools used for interprocess communication, one end pushes data to it whereas the other end can pull that data. A commit made uninitialized pipe buffers a high severity vulnerability. When injecting PIPE_BUF_FLAG_CAN_MERGE into a page cache reference, it is possible to overwrite data in the page cache, simply by writing new data into the pipe prepared in a special way.
There are some caveats to this vulnerability:
- The attacker must have read permissions for the file
- The offset must not be on a page boundary
- The write cannot cross a page boundary
- The file cannot be resized
Currently, there are no existing mitigations for this vulnerability. If you’re on a Linux kernel version greater than 5.8, the vendor recommends patching to the following versions: 5.16.11, 5.15.25 and 5.10.102.
Updated March 14, 2022: The latest Linode kernel is available, which fixes Dirty Pipe.
Container Escape via cgroups
Control groups, or cgroups, are a Linux kernel feature that allocates and allots computer resource usage for processes. In some cases, these processes will then get organized into hierarchical groups where the resource allocation is allotted based on the group.
Cgroups are commonly used in Linux containers because there are multiple processes running in a container that need to be grouped together.
Root Cause – The vulnerability involves the release_agent file, which is a feature of cgroups v1. The release_agent file allows administrators to configure a “release agent” that runs when a process in the cgroup is finished. The release_agent is only visible in the root cgroup directory and affects all its child cgroups. Whenever a process dies, the kernel checks if its notifiy_on_release enabled, and if it did, then it will spawn the configured release_agent binary. The container escape occurs because Linux didn’t check if the process setting the release_agent file has administrative privileges (ex. The CAP_SYS_ADMIN capability).
This vulnerability can be mitigated by doing the following:
- Enabling AppArmor, SELinux, or Seccomp security profiles
- Disabling unprivileged user namespaces if it isn’t necessary
- Running the container as an unprivileged user
The security researchers at Palo Alto have created a test to determine if your container environment is vulnerable to CVE-2022-0492:
There are some caveats behind this vulnerability. In order to successfully exploit this vulnerability you need to meet the following conditions for successful exploitation:
- A container needs to be ran as a privileged user (root or a user with the no_new_privs flag)
- AppArmor, SELinux, or Seccomp needs to be disabled
- The host needs to enable unprivileged user namespaces
- A container will need to be in a root v1 cgroup
Netfilter Local Privilege Escalation via heap-out-of-bounds write
Netfilter is a framework by the Linux kernel that allows for various networking-related operations to occur. It enables packet filtering, network address (and port) translation, packet logging, and userspace packet queueing. You can also build internet firewalls based on stateless and stateful packet filtering.
CVE-2022-25636, is a vulnerability in which a local user can perform a heap-out-of-bounds write in the function nft_fwd_dup_netdev_offload (nf_dup_netdev.c) and gain privileges. This vulnerability currently affects kernel versions 5.4-rc1 up to 5.6.10.
Root Cause – In the nft_fwd_dup_netdev_offload function, ctx->num_actions++ is used to offset into the flow->rule->action.entries array (nf_dup_netdev.c:67) when setting up dup or fwd flow rules on a chain with hardware offload enabled. The mismatch occurs between the number that the increment is called and the number of allocated entries. The allocated array size is based on the number of nftables expressions that have expr.offload_flags&NFT_OFFLOAD_F_ACTION (nf_tables_offload.c:97), but only the immediate expression type has this (not dup or fwd). This discrepancy allows someone to create a rule with dup/fwd expressions without a corresponding/preceding immediate, leading to an undersized entries array, and an arbitrary number of out of bounds array writes. Someone could write a script and perform an OOB write that can be turned into a Kernel ROP / local privileges escalation.
It’s recommended to patch your kernel to the latest version.