A graduate student at the University of California has found a vulnerability (CVE-2022-27666) in IPSec’s esp6 crypto module which can be potentially abused for local privilege escalation. The problem lies with heap overflow – a receiving buffer of a user message in esp6 is 8 pages, but you can send a message larger than that causing a buffer overflow.
Red Hat states this can allow an attacker to overwrite kernel heap objects and escalate their local privileges. Both NIST and Red Hat have given this vulnerability a CVSS score of 7.8 – which is very high. If IPSec is already in use on a Linux system (more than likely) and has IPSec Security Associations configured (which is essential to the network security protocol), there are no additional privileges needed to exploit this bug, meaning many people are open to this attack including users of the popular Linux distros such as Ubuntu, Debian, and Fedora.
The student was able to get around the Kernel Address-space Layout Randomisation (KASLR) which typically makes it much harder to exploit memory because processes are placed at random instead of at fixed memory addresses. After hanging this process, an attacker could use Filesystem in User Space (FUSE) to create their own filesystem and map memory to it. All read/write functions will then be handled by the attacker’s filesystem which makes it trivial to then gain root access to a system.
Please see the updates for your Linux distro in order to patch this vulnerability!
No comments:
Post a Comment