Linux Kernel < v5.17rc8 - Privilege Escalation via Out-of-Bounds Write in IPSec Implementation (CVE-2022-27666)

Context

The Linux kernel is a monolithic, modular, multitasking, Unix-like operating system kernel adopted as the kernel for the GNU operating system. The set of the Linux kernel API that regards the interfaces exposed to user applications is composed of UNIX and Linux-specific system calls which can only be invoked by using assembly instructions, which enable the transition from unprivileged user space to privileged kernel space in ring 0.

Vulnerability Summary

A heap buffer overflow vulnerability exists in the Linux kernel. A heap overflow condition is a form of 'out-of-bounds' write of memory, where the buffer that can be overwritten is allocated in the heap portion of memory (memory set aside for dynamic allocation).

Technical Details

The flaw exists in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c.

Impact If Exploited

Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory.

Exploit of flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.

Threat Landscape & Known Exploitation

This vulnerability is being exploited as part of a tranche of activity that was initially reported by the CISA (America's Cyber Defense Agency) under its 'KEV' (known exploited vulnerabilities') catalogue process in September of 2024. However, security researchers at FortiGuard Labs in November 2024 reported renewed attacks exploiting the vulnerabilities highlighted in the original CISA advisory, as well as several new vulnerabilities, by Russian military cyber actors known as 'Unit 29155'. These actors are targeting critical infrastructure including the government services, financial services, transportation systems, energy, and healthcare sectors of NATO members, the EU, Central American, and Asian countries. Their goal is believed to be to conduct espionage, steal data, and compromise or destroy sensitive information.

Affected Product Versions

• Linux Kernel prior to version 5.17rc8

NOTE: Multiple operating systems are based on the Linux kernel, and therefore vulnerable, so the list of impacted products is substantial. Multiple *nix operating systems are vulnerable, including Fedora, Debian, and Ubuntu. macOS, AIX, and Solaris may also be vulnerable. Customers with network appliances that run firmware based on a Linux kernel especially may also be vulnerable in some instances.

Indicators of Compromise (IoC)

(An Indicator of Compromise (IOC) is a piece of digital forensics that suggests that an endpoint or network may have been breached. These often include IP addresses involved in known exploitations. AppCheck provides this information both so that so customers can investigate potential breach, as well as take proactive actions such as blocking known malicious IPs or URIs in firewalls and application delivery controllers (IPs and URLs) or adding File Integrity Check rules (hashes).)

The vendor has not published a list of indicators of compromise (IoC) at the time of writing.

Official Remediation Guidance

The Linux project had by March 2022 provided a patch to kernel and distro maintainers. Customers are advised to upgrade their operating system as a priority. Customers are advised to upgrade to the latest version of the impacted product.

Due to ongoing active exploitation of this vulnerability, prioritisation should be given to the urgent remediation of vulnerable systems.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

Temporary Mitigation & Workarounds

(The vendor has not advised of any alternative temporary mitigation or workarounds)

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

Vendor Advisories

• https://bugzilla.redhat.com/show_bug.cgi?id=2061633

• https://github.com/torvalds/linux/commit/ebe48d368e97d007bfeb76fcb065d6cfc4c96645

Third-Party Analysis & Threat Intelligence

• https://fortiguard.fortinet.com/outbreak-alert/russian-cyber-espionage

• https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a

Proof of Concept (PoC) and Exploit Code

• TBC