CVE-2022-2961: Linux Kernel Privilege Escalation Vulnerability

A security researcher has discovered that the Linux kernel is affected by a potentially medium vulnerability (CVE-2022-2961) that can be exploited by an attacker to grant elevated privileges or crash the system.

Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free flaw in the Amateur Radio X.25 Packet Layer Protocol (PLP Rose) function in the way a user triggers a race condition by calling bind while simultaneously triggering the rose_bind() function.

“The bug is race condition inside rose_bind() function. The rose_bind() binds an sk and a given address, and then adds the sk to rose_list via rose_insert_socket(). Since there is no lock_sock() in rose_bind(), a user can call rose_bind() from two threads at the same moment, and the victim sk is possible to be added to rose_list twice,” read the Red Hat Bugzilla website.

“If the race is succeed, sk->sk_node.next will point to sk itself, which makes it become a cycle, and the sk’s refcount is one more than the normal case. When releasing the sk, according to rose_destroy_socket(), rose_remove_socket() is called multiple times which is up to sk_has_allocations(). If sk_has_allocations() returns false the first time, sk won’t be freed and cause a memory leak. Otherwise, sk is freed but can still be accessed via rose_list, which causes a use-after-free. An attacker is able to leak kernel information from /proc/net/rose* and do local privilege escalation in other ways.”

The CVE-2022-2961 flaw affects Linux kernels 5.17, 5.18, and 5.19.

At present, Linux kernel maintainers have officially fixed the bug in Linux kernel 6.0 RC2. It’s recommended that users update Linux servers immediately and apply the patches for other distros as soon as they are available. They’re also recommended to allow only trusted users to access local systems and always monitor affected systems.