This week, we’ll discuss three high severity vulnerabilities that could allow attackers to escalate privileges if they have local access to the system.
Linux Kernel eBPF – Improper Input Validation Vulnerability
CVE-2022-23222 describes a vulnerability stemming from the kernel’s handling of eBPF programs. An attacker who can execute BPF may crash the system or execute arbitrary code in the context of the kernel.
Root Cause – The BPF verifier does not properly restrict several *_OR_NULL pointer types, which allows these types to do pointer arithmetic. This can be leveraged to execute arbitrary code or crash the system.
Important note: Unprivileged BPF gets disabled by default in most distros. The bug was introduced in kernel version 5.8.0 and patched on kernel version 5.14.17. Availability of public exploits is another reason why CVE-2022-23222 poses a significant risk.
Keeping up to date with the latest kernel offered by your Linux distribution is an easy way to protect yourself from this vulnerability. If your Linode boots a kernel provided by us, you can verify that your Linode’s Configuration Profile is set to boot the latest kernel and then reboot your Linode.
If you cannot update to a patched kernel immediately, you can also mitigate this vulnerability by ensuring that unprivileged_bpf_disabled is set to 1. The following example will apply temporary mitigation until your Linode reboots. Make sure to write this setting to a sysctl configuration file and securely boot your Linode to persist the mitigation.
# sysctl -w kernel.unprivileged_bpf_disabled=1Source: Tr3e wang of SecCoder Security Lab
Container Escape Using Heap Overflow in Linux Kernel
CVE-2022-0185 is a heap overflow bug that allows an attacker with access to an unprivileged user to escalate their privileges to root. To do this, the attacker must have a specific Linux capability, CAP_SYS_ADMIN. It is important to note that when Docker (or other CRIs) are used in a Kubernetes cluster, the seccomp filter gets disabled by default, so this vulnerability could be exploited in those cases.
Root Cause – The bug is caused by an integer underflow present in fs/fs_context.c:legacy_parse_param, resulting in a valid max length miscalculation. This leads to an integer underflow in the “File System Context” component.
Underflow occurs when a subtraction operation reduces an unsigned integer to a value below zero. Since unsigned integers cannot represent negative numbers, the resulting calculation wraps around the integer’s max value instead. When this underflow occurs within the legacy_parse_param function, , a size check fails, and the attacker can write beyond the bounds of the allocated 4kb memory in the kernel space. Using this “unbound write,” the attacker can change values in the kernel memory and, for example, add access to themself to any other process running on the same node.
The command “capsh –print” can be used in the context of the current user to list enabled capabilities. Exploitation relies on the CAP_SYS_ADMIN capability; however, the permission only needs to be granted in the current namespace. An unprivileged user can use unshare (CLONE_NEWNS | CLONE_NEWUSER) to enter a namespace with the CAP_SYS_ADMIN permission and then proceed with exploitation to root the system. However, using seccomp will prevent the attacker from entering the namespace with that capability.
The vulnerability was introduced in kernel 5.1 and patched in 5.16.2. The exploit code is already surfacing online. Here is the original write-up for more technical details on the findings.
Keeping up to date with the latest kernel offered by your Linux distribution is an easy way to protect yourself from this vulnerability. If your Linode boots a kernel provided by us, you can also verify that your Linode’s Configuration Profile is set to boot the latest kernel and then reboot your Linode. If you are not able to update to a patched kernel immediately, you can apply these mitigations:
- Minimize the usage of privileged containers that have access to the CAP_SYS_ADMIN capability.
- For unprivileged containers, ensure that a seccomp filter is in place that blocks the unshare call will reduce the risk.
- Mitigate exploitation from unprivileged containers by disabling the user’s ability to use user namespaces at a host level. The following example will apply temporary mitigation until your Linode reboots. Make sure to write this setting to a sysctl configuration file and securely boot your Linode to persist the mitigation.
# sysctl -w kernel.unprivileged_userns_clone=0PwnKit – Local Privilege Escalation Vulnerability in Polkit
Polkit is a component for controlling system-wide privileges in Unix-like OSs. It provides a systematic methodology for non-privileged processes to communicate with privileged processes. Additionally, someone can also use polkit to execute commands with elevated privileges using the command pkexec (usually with root).
CVE-2021-4034 is a memory corruption vulnerability in polkit’s pkexec, a SUID-root program installed by default on most major Linux distributions. Successful exploitation allows any unprivileged user to gain root privileges in the default configuration easily.
Root Cause – The pkexec program doesn’t properly validate the number of arguments passed to it, allowing someone to execute arbitrary code as a privileged user.
All Polkit versions from 2009 on are vulnerable and exploitable even if the polkit daemon itself is not running.
Keeping up to date with the latest kernel offered by your Linux distribution is an easy way to protect yourself from this vulnerability. If your Linode boots a kernel provided by us, you can verify that your Linode’s Configuration Profile is set to boot the latest kernel and then reboot your Linode. If you are not able to update to a patched kernel immediately, you can temporarily mitigate the issue by removing the SUID-bit from pkexec:
# chmod 0755 /usr/bin/pkexec
Comments