A security researcher has discovered that the Linux kernel is affected by a high vulnerability (CVE-2022-2964, CVSS score: 7.8) that an attacker can exploit to grant arbitrary code execution.
The bug was caused by multiple out-of-bounds reads and possible out-of-bounds writes flaw in the driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The Linux kernels driver for the “ASIX AX88179_178A based USB 2.0/3.0 Gigabit Ethernet Devices” contains multiple out-of-bounds reads and possible writes in the ax88179_rx_fixup() function.
According to the Linx kernel git repository, “ax88179_rx_fixup() contains several out-of-bounds accesses that can be triggered by a malicious (or defective) USB device, in particular:
- The metadata array (hdr_off..hdr_off+2*pkt_cnt) can be out of bounds, causing OOB reads and (on big-endian systems) OOB endianness flips.
- A packet can overlap the metadata array, causing a later OOB endianness flip to corrupt data used by a cloned SKB that has already been handed off into the network stack.
- A packet SKB can be constructed whose tail is far beyond its end, causing out-of-bounds heap data to be considered part of the SKB’s data.“
The researcher’s successful exploitation of this bug leads to arbitrary code execution, as tested on the Linux kernel 5.16.9. By sending a specially crafted request, an attacker could exploit the CVE-2022-2964 vulnerability to execute arbitrary code or cause a denial of service condition on the system.
At present, Linux kernel maintainers have officially issued security patches. It’s recommended that users update Linux servers immediately and apply the patches for other distros as soon as they are available. You make sure that your Linux distro is on Linux kernel 5.16.10 or later.
