CVE-2022-2586/CVE-2022-2585/CVE-2022-2588: Linux kernel LPE flaw

CVE-2022-2586

Security researchers have discovered 3 new privilege-escalation vulnerabilities in the Linux kernel that could allow a local attacker to execute code on the affected systems with elevated privileges.

As discovered by an independent security researcher working with SSD Secure Disclosure, the Linux kernel vulnerability (CVE-2022-2585) is due to a use-after-free memory error in POSIX CPU timer “when exec’ing from a non-leader thread, armed POSIX CPU timers would be left on a list but freed“.

CVE-2022-2586

The vulnerability has been introduced in commit 55e8c8eb2c7b (“posix-cpu-timers: Store a reference to a pid not a task”), which is present since v5.7-rc1. It was fixed just by cleaning up the timers from the de-threaded task before freeing them. The security researcher will publish the PoC next week.

Another bug tracked as CVE-2022-2586, was found by Team Orca of Sea Security (@seasecresponse). A use-after-free flaw was found in nf_tables cross-table in the net/netfilter/nf_tables_api.c function in the Linux kernel. This flaw allows a local, privileged attacker to cause a use-after-free problem at the time of table deletion, possibly leading to local privilege escalation. Exploiting it requires CAP_NET_ADMIN in any user or network namespace. The vulnerability affects Linux kernel v3.16-rc1 and later. Researcher say that CVE-2022-2586 PoC that will trigger KASAN is going to be posted in a week.

Finally, CVE-2022-2588 is a use-after-free flaw was found in route4_change in the net/sched/cls_route.c filter implementation in the Linux kernel. This flaw allows a local, privileged attacker to crash the system, possibly leading to a local privilege escalation issue. The bug affect linux kernel v2.6.12-rc2 and later.

Administrators are advised to apply the appropriate updates on their Linux distributions as soon as they receive them from their respective distro. They’re also recommended to allow only trusted users to access local systems and always monitor affected systems.

Update: August 18th

Today, the researcher released the PoC exploit code for these three vulnerabilities [1,2,3].