Re: CVE-2022-2588 - Linux kernel cls_route UAF

[Vegard Nossum <vegard.nossum () oracle com>]

On 8/9/22 19:11, Thadeu Lima de Souza Cascardo wrote:
> CVE-2022-2588 - Linux kernel cls_route UAF
>
> It was discovered that the cls_route filter implementation in the Linux kernel
> would not remove an old filter from the hashtable before freeing it if its
> handle had the value 0.
>
> Zhenpeng Lin working with Trend Micro's Zero Day Initiative discovered that
> this vulnerability could be exploited for Local Privilege Escalation. This has
> been reported as ZDI-CAN-17440, and assigned CVE-2022-2588.
>
> This bug has been present since the first Linux commit git, v2.6.12-rc2.
>
> Exploiting it requires CAP_NET_ADMIN in any user or network namespace.
>
> It can be mitigated by those users who do not rely on cls_route, by adding
> 'install cls_route /bin/true' to their modprobe.conf or modprobe.d configs,
> in case it's built as a module.
>
> A PoC that will trigger a WARNING is going to be posted in a week.
>
> Fixes have been sent to netdev () vger kernel org and are at
> https://lore.kernel.org/netdev/20220809170518.164662-1-cascardo () canonical com/T/#u.

This isn't the first bug where users can use namespaces to load kernel
modules they wouldn't otherwise be able to load, thus increasing attack
surface. I've posted a patch that attempts to mitigate this somewhat
here (it would have prevented the above bug from being exploited for
what is most likely a majority of users):

https://lore.kernel.org/all/20220809185229.28417-1-vegard.nossum () oracle com/

There is apparently also a parallel discussion about user namespaces and
LSM hooks here that seems relevant:

https://lwn.net/Articles/903580/


Vegard