CVE-2022-32250 An attacker with user/net namespace access can escalate privileges to root due to an NFT_STATEFUL_EXPR bug.

CVE-2022-32250 An attacker with user/net namespace access can escalate privileges to root due to an NFT_STATEFUL_EXPR bug.

The issue was discovered by David Herrmann.

CVE-2018-17144: A pipe redirection flaw was found in the way nf_tables_sync() handled redirecting pipes. A user with the ability to create/remove network namespaces could potentially use this flaw to bypass intended network access restrictions. This issue has been resolved by disabling network namespace creation/removal by default. As a workaround, the user can set the net.net_adm_network_ns sysctl to 0 to disable the feature completely.
To reduce the impact of this issue, the nft command has been updated to no longer allow user name/namespace creation when using the redirection feature. Note that user namespaces are still possible using the traditional method.
This issue does not occur when redirecting standard input or standard output.

CVE-2018-17142: An issue was discovered in the Linux kernel before version 5.18. There is a race condition in close() operation between the inode being locked by kernel and the device’s driver. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or possibly gain administrative privileges.
The Common Vulnerabilities and Exposures project ID is CVE-2018-17142.

CVE-2018-17143: An issue was discovered in the Linux kernel through 5.18. An incorrect function dereference could cause an out-of term system

Mitigation steps for cve-2018-17141

This issue does not occur when redirecting standard input or standard output.

How to fix nft command not working after updating

The issue was discovered by David Herrmann.
CVE-2018-17144: A pipe redirection flaw was found in the way nf_tables_sync() handled redirecting pipes. A user with the ability to create/remove network namespaces could potentially use this flaw to bypass intended network access restrictions. This issue has been resolved by disabling network namespace creation/removal by default. As a workaround, the user can set the net.net_adm_network_ns sysctl to 0 to disable the feature completely.
To reduce the impact of this issue, the nft command has been updated to no longer allow user name/namespace creation when using the redirection feature. Note that user namespaces are still possible using the traditional method.
This issue does not occur when redirecting standard input or standard output.
CVE-2018-17142: An issue was discovered in the Linux kernel before version 5.18. There is a race condition in close() operation between the inode being locked by kernel and the device’s driver. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or possibly gain administrative privileges.
The Common Vulnerabilities and Exposures project ID is CVE-2018-17142.
CVE-2018-17143: An issue was discovered in the Linux kernel through 5.18. An incorrect function dereference could cause an out-of term

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe