Researcher publishes PoC for CVE-2021-22555 Linux Netfilter Local Privilege Escalation Flaw

On July 14, 2021, security researcher @theflow published an analysis report on the CVE-2021-22555 Linux Netfilter privilege escalation vulnerability. This vulnerability was used in kCTF to attack the kubernetes pod container to achieve virtualization escape. The vulnerability number is CVE-2021-22555 with the CVSS v3 score of 7.8.
The Linux Netfilter module is a software framework used to manage network packets in the kernel. The well-known tools such as iptables and nftables are all developed based on Netfilter. This vulnerability exploits the improper logic in the use of the memcopy and memset functions in Netfilter to achieve privilege escalation.
Linux kernel updates

Vulnerability Detail

A flaw was discovered in processing setsockopt IPT_SO_SET_REPLACE (or IP6T_SO_SET_REPLACE) for 32 bit processes on 64 bit systems. This flaw will allow local user to gain privileges or cause a DoS through user name space. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges

Affected version

Kernel Affected version Unaffected version
Linux:kernel-netfilter <b29c457a6511435960115c0f548c4360d5f4801d b29c457a6511435960115c0f548c4360d5f4801d
debain:stretch 4.9.228-1 4.9.272-1
debain:buster 4.19.171-2 4.19.194-1
Linux:Kernel >=2.6.19 5.12,5.10.31, 5.4.113, 4.19.188, 4.14.231, 4.9.267, 4.4.267

Solution

In this regard, we recommend that users upgrade the Linux Kernel to the latest version in time. According to RedHat’s suggestions, users can implement the following operations by disabling non-privileged users to execute CLONE_NEWUSER, CLONE_NEWNET to mitigate the impact of this vulnerability
echo 0 > /proc/sys/user/max_user_namespaces