[PoC] CVE-2022-0185: Linux Kernel Privilege Escalation Vulnerability Alert
Recently, security researcher Rory McCune has disclosed a high-risk buffer overflow vulnerability (CVE-2022-0185) in the Linux kernel component. Because the legacy_parse_param() function in the Linux FS module has a flaw in the size verification, ordinary users can use this vulnerability to obtain root privileges. If in the container scenario, container escape can be implemented from the docker and k8s containers. The severity of the flaw is rated High with a score of 7.8. It has a high impact and is easy to exercise by local attackers. Currently, POC/EXP has been publicized, so the risk is higher.
Affected version
- 5.1-rc1 <= Linux kernel < 5.16.2
Unaffected version
- Linux kernel 5.4.174
- Linux kernel 5.10.94
- Linux kernel 5.15.17
- Linux kernel 5.16.2 & 5.16.3
Solution
At present, the fixed Linux kernel has been officially released to patch the CVE-2022-0185 vulnerability. All systems at risk of this vulnerability should apply the patch for their Linux distribution as quickly as possible. Installation of this patch will likely require a reboot of the host to be effective.
According to the official RedHat recommendation, implement the following to mitigate the flaw by disabling unprivileged users from executing CLONE_NEWUSER, CLONE_NEWNET
echo “user.max_user_namespaces = 0” >> /etc/sysctl.d/userns.conf
sysctl -p /etc/sysctl.d/userns.conf
On Ubuntu and most distributions, you can use the following sysctl command to disable it:
sysctl -w kernel.unprivileged_userns_clone = 0
