oss-security - Re: CVE-2022-1972: out-of-bound write in Linux netfilter subsystem leads to local privilege escalation

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <20220806191022.GA10830@openwall.com>
Date: Sat, 6 Aug 2022 21:10:22 +0200
From: Solar Designer <solar@...nwall.com>
To: "?????????(??????)" <zhangziming.zzm@...group.com>
Cc: oss-security <oss-security@...ts.openwall.com>
Subject: Re: CVE-2022-1972: out-of-bound write in Linux netfilter subsystem leads to local privilege escalation

On Thu, Jun 02, 2022 at 10:21:36AM +0800, ?????????(??????) wrote:
> An out-of-bound write vulnerability was identified within the
> netfilter subsystem
> which can be exploited to achieve privilege escalation to root.
> 
> In order to trigger the issue it requires the ability to create user/net
> namespaces.
> 
> this vulnerability comes from commit(
> https://github.com/torvalds/linux/commit/f3a2181e16f1dcbf5446ed43f6b5d9f56c459f85)
> 
> This issue has been fixed within the following commit:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=fecf31ee395b0295f2d7260aa29946b7605f7c85

[...]

> =*=*=*=*=*=*=*=*=  Credit  =*=*=*=*=*=*=*=*=
> ziming zhang(@ezrak1e) from Ant Group Light-Year Security Lab

Apparently, this vulnerability was also independently discovered by
Arthur Mongodin during an internship at Randorisec, who blogged about it
on June 13 here:

https://randorisec.fr/yet-another-bug-netfilter/

and posted an infoleak PoC here:

https://github.com/randorisec/CVE-2022-1972-infoleak-PoC

Alexander

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.