Recently, Redhat issued a risk notice for the Linux Kernel local privilege escalation vulnerability, the vulnerability number is CVE-2022-3977. This flaw is a use-after-free bug that was found in the mctp_sk_unhash in Linux kernel’ net/mctp/af_mctp.c. The reason for the bug is that the simultaneous DROPTAG ioctl and socket close may lead to a race condition. The bug is reported by the Active Defense Lab of Venustech.
“An unprivileged the user reproduced it with new namespaces.It would cause Local Privilege Escalation(LPE). It was introduced in v5.18.0, commit is 63ed1aab3d40aa61aaa66819bdce9377ac7f40fa. It affected all the way up to upstream v6.0.0 and stable. Unfortunately, the mctp kernel module is not automatically loaded,” read the seclists website.
The issue is a use-after-free vulnerability was identified within mctp_sk_unhash in net/mctp/af_mctp.c in the last Linux kernel upstream which can be exploited to achieve privilege escalation to root. Use-after-free refers to a memory corruption bug that occurs when an application tries to use memory no longer assigned to it (or freed) – after that memory has been assigned to another application. This can cause crashes and data to be inadvertently overwritten, or in cyber attack scenarios can lead to arbitrary code execution or allow an attacker to gain remote code execution capabilities.
The bug was introduced in the commit. “It add SIOCMCTP{ALLOC,DROP}TAG ioctls for tag control.This change adds a
couple of new ioctls for mctp sockets: SIOCMCTPALLOCTAG and SIOCMCTPDROPTAG. where a simultaneous DROPTAG ioctl and socket close may race, as we attempt to remove a key from lists twice, and perform an unref for each removal operation. This may result in a uaf when we attempt the second unref.”
The CVE-2022-3977 flaw was fixed in the Linux kernel via this commit. At present, Linux kernel maintainers have officially issued security patches. It’s recommended that users update Linux servers immediately and apply the patches for other distros as soon as they are available. They’re also recommended to allow only trusted users to access local systems and always monitor affected systems.
