[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Linux kernel: CVE-2022-1015,CVE-2022-1016 in nf_tables cause privilege escalation
From: Solar Designer <solar () openwall ! com>
Date: 2022-08-25 13:28:56
Message-ID: 20220825132856.GA29197 () openwall ! com
[Download RAW message or body]
On Mon, Mar 28, 2022 at 08:28:21PM +0200, David Bouman wrote:
> I'm reporting two linux kernel vulnerabilities in the nf_tables
> component of the netfilter subsystem that I found.
>
> CVE-2022-1015 pertains to an out of bounds access in nf_tables
> expression evaluation due to validation of user register indices. It
> leads to local privilege escalation, for example by overwriting a stack
> return address OOB with a crafted nft_expr_payload.
>
> CVE-2022-1015 is exploitable starting from commit 345023b0db3
> ("netfilter: nftables: add nft_parse_register_store() and use it"),
> v5.12 and has been fixed in commit 6e1acfa387b9 ("netfilter: nf_tables:
> validate registers coming from userspace.").
>
> The bug has been present since commit 49499c3e6e18 ("netfilter:
> nf_tables: switch registers to 32 bit addressing"), but to my knowledge
> has not been exploitable until v5.12.
>
> CVE-2022-1016 pertains to uninitialized stack data in the nft_do_chain
> routine. CVE-2022-1016 is exploitable starting from commit 96518518cc41
> (original merge of nf_tables), v3.13-rc1, and has been fixed in commit
> 4c905f6740a3 ("netfilter: nf_tables: initialize registers in
> nft_do_chain()").
>
> I will be releasing a detailed blog post and exploit code for both
> vulnerabilities in a few days.
Apparently, these were published on April 2, but not yet mentioned on
oss-security?
https://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/
https://github.com/pqlx/CVE-2022-1015
Alexander
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic