Multiple Local Privilege Escalation Vulnerabilities Fixed in Linux Kernel
Multiple use-after-free vulnerabilities have recently been found in the Linux kernel that can be exploited to achieve local privilege escalation. That means an attacker or user with restricted access (i.e., a local user) can use these vulnerabilities to obtain elevated privileges or permissions that they should not have.
With elevated access, the attacker can run commands with higher privileges, potentially compromising the entire system. These vulnerabilities have been assigned their specific CVEs and marked as high severity by the National Vulnerability Database.
In this blog post, we will discuss some of these new high-severity vulnerabilities discovered in the Linux kernel.
High-Severity Local Privilege Escalation Vulnerabilities
A use-after-free vulnerability was identified within the Linux kernel’s ‘net/sched: sch_qfq’ component. This vulnerability arises when the ‘plug qdisc’ is employed as a class of the ‘qfq qdisc.’ In this scenario, the act of sending network packets can trigger a use-after-free situation within the ‘qfq_dequeue()’ function, primarily due to an incorrect ‘.peek handler’ implementation in ‘sch_plug’ and the absence of error checking in ‘agg_dequeue()’.
This is also a use-after-free vulnerability present in the Linux kernel ‘s ‘net/sched: cls_fw’ component. The vulnerability becomes apparent when ‘fw_change()’ is invoked on an existing filter, resulting in the entire ‘tcf_result struct’ being consistently copied into the new instance of the filter. This presents a challenge when updating a filter associated with a class, as the ‘tcf_unbind_filter()’ function is always triggered on the old instance within the success path. This action reduces the ‘filter_cnt’ of the still-referenced class and renders it eligible for deletion, ultimately resulting in a use-after-free situation.
Exploiting a use-after-free vulnerability within the Linux kernel’s ‘net/sched: cls_u32’ component can enable local privilege escalation. The vulnerability becomes evident during the execution of ‘u32_change()’ on an existing filter. In this process, the entire ‘tcf_result struct’ is invariably copied into the new filter instance. This creates an issue when updating a filter associated with a class, as the ‘tcf_unbind_filter()’ function is consistently invoked on the old instance within the success path. Consequently, this action reduces the ‘filter_cnt’ of the still-referenced class and permits its deletion, ultimately leading to a use-after-free scenario.
A use-after-free vulnerability was found within the Linux kernel’s ‘netfilter: nf_tables’ component. This vulnerability arises from a race condition occurring between nf_tables’ netlink control plane transaction and the garbage collection of nft_set elements. This race condition has the potential to trigger an underflow in the reference counter, leading to the emergence of a use-after-free vulnerability.
Local privilege escalation can be achieved through the exploitation of a use-after-free vulnerability within the Linux kernel’s ‘af_unix’ component. This vulnerability stems from the ‘unix_stream_sendpage()’ function, which attempts to append data to the final skb (socket buffer) in the recipient’s receive queue without acquiring the necessary locks. Consequently, a race condition arises where ‘unix_stream_sendpage()’ can potentially access an skb that is in the process of being released by garbage collection, leading to a use-after-free scenario.
How to Mitigate these Vulnerabilities?
Local privilege escalation vulnerabilities are of great concern because they can be used to bypass user-level restrictions and gain control over a system. Therefore, staying updated and applying patches regularly to mitigate such vulnerabilities and their potential risks is critical. Missing or delaying patches can negatively impact your security and operation of the server.
The best way to avoid delaying patches is to utilize an automated patching solution like KernelCare Enterprise. KernelCare automatically applies security patches to the Linux kernel while the kernel is running. That means it does require the kernel to be restarted, which is a headache for system administrators.
Such patching is known as live patching, in which patches are applied without the reboot. This eliminates patching-related downtime or maintenance windows, ultimately keeping the 100% uptime of servers without disrupting any services.
Speak to our experts to learn more about live Linux patching and how it works.