CVE-2022-29581 - Privilege Escalation Vulnerability in net/sched of Linux Kernel Due to Improper Update of Reference Count

A high-severity vulnerability (CVE-2022-29581) has been discovered in the 'net/sched' subsystem of the Linux Kernel, which can lead to local privilege escalation, allowing attackers to escalate privileges from an unprivileged process to root. This vulnerability affects Linux Kernel versions prior to 5.18 and versions 4.14 and later.

The vulnerability is classified as "Improper Update of Reference Count" and is caused by improper handling of reference counts in the Traffic Control (TC) component of the 'net/sched' subsystem. This flaw can allow attackers to create a malicious process that can lead to a use-after-free vulnerability, which in turn can cause privilege escalation to the root user.

Links to Original References

1. CVE-2022-29581 in NVD - National Vulnerability Database
2. Official Linux Kernel Repository
3. Linux Kernel Mailing List - Security Patch

Exploit Details

The exploit involves the creation of a process that makes use of the Traffic Control API, which allows the user to manipulate the settings of the network scheduler. The vulnerability exists due to a race condition in the handling of reference counts in the 'net/sched' subsystem. The issue can be reproduced using the following code snippet:

#include <fcntl.h>
#include <linux/netlink.h>
#include <sys/socket.h>
#include <unistd.h>

#define NETLINK_ROUTE 

int main() {
    int sock;
    struct sockaddr_nl saddr;
  
    sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
    if (sock < ) {
        perror("socket");
        return 1;
    }
  
    memset(&saddr, , sizeof(saddr));
    saddr.nl_family = AF_NETLINK;
  
    if (bind(sock, (struct sockaddr *)&saddr, sizeof(saddr)) < ) {
        perror("bind");
        return 1;
    }
  
    // Malicious operations on TC settings here
  
    return ;
}

In order to exploit the vulnerability, an attacker would first create a process utilizing the Traffic Control API and then attempt to trigger the use-after-free vulnerability. Once the reference count has been improperly updated, the attacker can then cause the privilege escalation to the root user.

Affected Systems and Patch Information

The vulnerability affects Linux Kernel versions prior to 5.18 and versions 4.14 and later. The patch for this vulnerability has been introduced in the Linux Kernel version 5.18, and administrators are recommended to apply the patch as soon as possible. The patch can be found in the Linux Kernel Mailing List - Security Patch post.

Update the Linux Kernel to the latest version, preferably 5.18 or later.

2. If updating immediately is not possible, apply the patch provided in the Linux Kernel Mailing List - Security Patch post.

Limit unprivileged user access to sensitive systems and resources.

Users and administrators are urged to apply the patch and follow the recommendations provided to minimize the risk of exploitation and protect their systems from potential threats.

Timeline

Published on: 05/17/2022 17:15:00 UTC
Last modified on: 07/04/2022 11:15:00 UTC