Nothing is as annoying as a security hole in a security program. Xiaochen Zou, a graduate student at the University of California, Riverside, looked for bugs in Linux and found a huge one. This vulnerability, CVE-2022-27666, in the IPSec Encapsulating Security Payload (esp6) cryptographic module can be abused to escalate local privileges.
The problem is your basic heap overflow hole. Xiaochen explained that “the basic logic of this vulnerability is that the receiving buffer of a user message in the esp6 module is an 8-page buffer, but the sender can send a message longer than 8 pages, which clearly creates a buffer overflow”. Yes, yes it will.
As always with buffer overflows, this is bad news. As Red Hat puts it in its security advisory about the bug, “This flaw allows a local attacker with normal user privilege to overwrite kernel heap objects and can cause a local privilege escalation threat.”
This is bad enough that both Red Hat and the National Institute of Standards and Technology (NIST) give the hole a high Common Vulnerability Scoring System (CVSS) score. ) of 7.8. Or, as I like to call vulnerabilities with such high scores, it’s a “Fix it now!” error.
As well: Linux developers patch security holes faster than anyone else, says Google Project Zero
Red Hat also noted that if a Linux system is already using IPsec and has IPSec security associations (SAs) configured, then no additional privileges are needed to exploit the hole. Since almost everyone uses IPSec and SAs are essential to network security protocol, this means that almost everyone who has the vulnerable code in their Linux distribution is open to attack.
Xiaochen discovered that the latest Ubuntu, Fedora, and Debian Linux distributions can be hacked with it. Red Hat reports that Red Hat Enterprise Linux (RHEL) 8 is vulnerable. Specifically, if your Linux contains an esp6 2017 cryptographic module, which contains the acknowledgments cac2661c53f3 and 03e2a30f6a27, it is attackable.
Typically, such an attack can take a Linux system offline. Xiaochen dug deeper and found more. In searching for it, he found a way to circumvent Kernel Address Space Layout Randomization (KASLR). KASLR, as its name implies, makes it more difficult to exploit memory vulnerabilities by placing processes at random memory addresses, rather than fixed addresses.
As well: Nasty Linux netfilter firewall security hole found
Then, after hanging the process, an attacker can use Filesystem in User Space (FUSE) to create their own filesystem and allocate memory on it. Consequently, all reads and writes going through that memory will be handled by its own file system. Once this is done, it is relatively trivial to root the system. And, as we all know, once the attacker is rooted, it’s game over. The attacker is now in charge of the computer.
The good news is that the solution is already available in Ubuntu, Debian, the Linux kernel, and most other distributions. Now put on patches!