Security loophole found in Linus netfilter

A security loophole is newly discovered in the Linux kernel which could be exploited by local attacker. Almost all Linux firewall tools have netfilter behind it which enables access to Linux’s network stack. It is thus a significant Linux security program.  

Netfilter is a framework offered by Linus kernel that helps several networking-related operations.   

Sophos threat researcher Nick Gregory while probing for security issues discovered this loophole.    

“Despite being in code dealing with hardware offload, this is reachable when targeting network devices that don’t have offload functionality (e.g. lo) as the bug is triggered before the rule creation fails,” Gregory said. “Additionally, while nftables (netfilter tables) require CAP_NET_ADMIN, we can unshare into a new network namespace to get this as a (normally) unprivileged user.”  

Tracked as CVE-2022-25636 (CVSS score: 7.8), the vulnerability effects Linus versions 5.4 through 5.6.10 and is a result of a heap out of bounds write issue with the kernel’s netfilter, said Gregory. 

“The bug is exploitable to achieve kernel code execution (via ROP meaning return-oriented programming), giving full local privilege escalation, container escape, whatever you want,” he added.