OSG-SEC-2022-03-18 CRITICAL OOB memory access flaw in Linux kernel
Dear OSG Security Contacts,
An out-of-bounds (OOB) memory access flaw was found in nft_fwd_dup_netdev_offload in net/netfilter/nf_dup_netdev.c [1] in the netfilter subcomponent in the Linux kernel due to a heap out-of-bounds write problem. An attacker with a local account on the system can crash the system or escalate their privileges.
IMPACTED VERSIONS:
Linux kernel 5.4 through 5.6.10; Red Hat Enterprise Linux 8.3 GA and later.
Note: Red Hat Enterprise Linux 7 distributions are not affected.
WHAT ARE THE VULNERABILITIES:
This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat. A working exploit is publicly available.
WHAT YOU SHOULD DO:
Update your OS to a patched version of the Linux kernel when it is available for your distribution [3][4][5].
Note: Currently there are no patched kernel packages for RHEL 8.
MITIGATIONS:
The mitigation for RHEL 8 derived distributions is to prevent unprivileged users from running unshare(CLONE_NEWUSER) or unshare(CLONE_NEWNET). This can be done with the command: $ echo 0 > /proc/sys/user/max_user_namespaces
You can make this change persistent by adding the following line to a file in the "/etc/sysctl.d/" directory: user.max_user_namespaces = 0
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system
Note: User namespaces are used primarily for Linux containers. If containers are in use, the above fix is not applicable.
The mitigation for containers can be achieved by blocking the pertinent syscalls in a seccomp policy file. More information about seccomp, please read the RedHat OpenShift Blog post "Seccomp for Fun and Profit" [6].
Alternatively, for sites using Singularity containers, you can disable network namespaces. Instructions to do this can be found in the OSG’s Singularity Install documentation [7].
REFERENCES
[1] https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25636
[3] https://access.redhat.com/security/cve/CVE-2022-25636
[4] https://ubuntu.com/security/CVE-2022-25636
[5] https://security-tracker.debian.org/tracker/CVE-2022-25636
[6] https://www.openshift.com/blog/seccomp-for-fun-and-profit
[7] https://opensciencegrid.org/docs/worker-node/install-singularity/#enabling-unprivileged-singularity
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team