Skip to content

OSG-SEC-2022-07-05 HIGH Use-after-free vulnerability in the Linux kernel Netfilter subsystem

Dear OSG Security Contacts,

A use-after-free vulnerability was found in the Linux kernel's Netfilter subsystem in net/netfilter/nf_tables_api.c. This flaw allows a local attacker with user access to cause a privilege escalation issue. [1]

Note: This vulnerability is being tracked with CVE-2022-32250 but is also duplicated by CVE-2022-1966, and may be referred to by either identifier depending on the source.

IMPACTED VERSIONS:

Linux kernel versions through 5.18.1. This vulnerability impacts all major Linux distributions.

WHAT ARE THE VULNERABILITIES:

net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free vulnerability. [1]

WHAT YOU SHOULD DO:

Install an updated version of the Linux kernel as soon as a patched version is available for your distribution(s).

Patched kernel versions are available in RHEL 7, RHEL 9, and Debian. [2][3][4] There is not an update for RHEL 8 yet.

MITIGATIONS:

Mitigation is possible by disabling either user namespaces or net namespaces. The OSG recommends leaving net namespaces disabled for those who need user namespaces (for example for use with Singularity), since most kernel vulnerabilities related to user namespaces are in the network area. Follow the instructions on the OSG Singularity installation page [5] for disabling network namespaces or set user.max_user_namespaces = 0 instead of 15000 to disable user namespaces.

REFERENCES

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32250

[2] https://access.redhat.com/security/cve/CVE-2022-1966

[3] https://security-tracker.debian.org/tracker/CVE-2022-32250

[4] https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-32250

[5] https://osg-htc.org/docs/worker-node/install-singularity#enabling-unprivileged-singularity

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team