In this week’s digest, we will discuss:
- a privilege escalation vulnerability in the Linux kernel (DirtyCred);
- an arbitrary code execution in PostgreSQL; and
- a privilege escalation vulnerability in the Zoom auto-update process.
DirtyCred Privilege Escalation Vulnerability
Academic researchers from Northwestern University have introduced a new exploitation concept to swap Linux kernel credentials. This exploitation method is similar to the Dirty Pipe vulnerability CVE-2022-0847. The Dirty Pipe vulnerability is an uninitialized bug in the Linux kernel pipe subsystem, affecting 5.8 and higher kernel versions.
The DirtyCred vulnerability allows local attackers to escalate their privileges on affected Linux kernel versions. In order to take advantage of this vulnerability, an attacker must first be able to run low-privileged code on the target system. There is a specific issue with the way routing decisions are handled. The issue is caused by the failure to validate an object’s existence before conducting additional free actions on it. This vulnerability allows an attacker to gain elevated privileges and run arbitrary code as root.
The DirtyCred vulnerability—registered as CVE-2022-2588,—was rated 6.7 medium in the CVSS scoring by Red Hat due to the high impact to confidentiality, integrity, and availability. A successful attack can perform privilege escalation by bypassing kernel credential permission checks.
We recommend that you update affected Linux kernel packages to the latest version as soon as possible.
PostgreSQL Arbitrary Code Execution
A vulnerability found in PostgreSQL could lead to arbitrary code execution as the victim role. An attack requires the ability to create non-temporary objects in at least one schema, the capability to attract or wait for a victim to use the object targeted by CREATE OR REPLACE or CREATE IF NOT EXISTS, and the ability to lure or wait for an administrator to create or update a vulnerable extension in that schema. If all three conditions are met, the attacker can execute arbitrary code as the victim role, which might be a superuser. Both PostgreSQL-bundled and non-bundled extensions are included in the list of known-affected extensions.
The vulnerability has been registered as CVE-2022-2625, and was rated 8.0 high in the CVSS scoring by NVD due to the high impact to confidentiality, integrity, and availability. This vulnerability has been patched by PostgreSQL 14.5, 13.8, 12.12, 11.17, 10.22, and 15 Beta 3 release.
According to PostgreSQL, PostgreSQL 10 will be End of Life (EOL) on November 10, 2022; therefore, if you are running PostgreSQL 10 in a production environment, PostgreSQL advises to upgrade to newer and supported PostgreSQL versions.
Zoom Client for MacOS Privilege Escalation Vulnerability
A vulnerability was discovered in the Zoom meetings client for MacOS, which could allow a locally-authenticated attacker to escalate their privileges on the system. A flaw in the auto-updater process causes this vulnerability. An authenticated attacker could use this vulnerability to get root access to the victim’s machine by sending a well-crafted request.
This vulnerability has been registered as CVE-2022-28757, and was rated 8.8 high in the CVSS scoring by Zoom Video Communications, Inc. due to the high impact to confidentiality, integrity, and availability. This vulnerability affects the Zoom meetings client for MacOS version 5.7.3 and before version 5.11.6.
Trending Vulnerabilities this Week
- CVE-2022-32250: Local privilege escalation in the Linux kernel through 5.18.1
- CVE-2022-0028: Reflected and amplified TCP denial-of-service (RDoS) in Palo Alto Networks
- CVE-2022-22536: Unauthenticated request smuggling and request concatenation in SAP SE Applications
- CVE-2021-30657: Gatekeeper checks bypass in macOS big Sur
CVE-2022-26923: Active Directory Domain Services Elevation of Privilege Vulnerability