Researcher publishes PoC for CVE-2021-22555 Linux Netfilter Local Privilege Escalation Flaw
On July 14, 2021, security researcher @theflow published an analysis report on the CVE-2021-22555 Linux Netfilter privilege escalation vulnerability. This vulnerability was used in kCTF to attack the kubernetes pod container to achieve virtualization escape. The vulnerability number is CVE-2021-22555 with the CVSS v3 score of 7.8.
The Linux Netfilter module is a software framework used to manage network packets in the kernel. The well-known tools such as iptables and nftables are all developed based on Netfilter. This vulnerability exploits the improper logic in the use of the memcopy and memset functions in Netfilter to achieve privilege escalation.
Vulnerability Detail
A flaw was discovered in processing setsockopt IPT_SO_SET_REPLACE (or IP6T_SO_SET_REPLACE) for 32 bit processes on 64 bit systems. This flaw will allow local user to gain privileges or cause a DoS through user name space. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges
Affected version
| Kernel | Affected version | Unaffected version |
|---|---|---|
| Linux:kernel-netfilter | <b29c457a6511435960115c0f548c4360d5f4801d | b29c457a6511435960115c0f548c4360d5f4801d |
| debain:stretch | 4.9.228-1 | 4.9.272-1 |
| debain:buster | 4.19.171-2 | 4.19.194-1 |
| Linux:Kernel | >=2.6.19 | 5.12,5.10.31, 5.4.113, 4.19.188, 4.14.231, 4.9.267, 4.4.267 |
Solution
In this regard, we recommend that users upgrade the Linux Kernel to the latest version in time. According to RedHat’s suggestions, users can implement the following operations by disabling non-privileged users to execute CLONE_NEWUSER, CLONE_NEWNET to mitigate the impact of this vulnerability
echo 0 > /proc/sys/user/max_user_namespaces
