Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: Linux Kernel eBPF Improper Input Validation Vulnerability

Related Vulnerabilities: CVE-2022-23222  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Linux Kernel eBPF Improper Input Validation Vulnerability

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: tr3e wang &lt;tr3e.wang () gmail com&gt;

Date: Fri, 14 Jan 2022 16:57:53 +0800

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi all,

CVE-2022-23222 has been assigned to this issue.

Thanks,
tr3e

tr3e wang &lt;tr3e.wang () gmail com&gt; 于2022年1月13日周四 16:21写道:

Hi all,

This vulnerability allows local attackers to escalate privileges on
affected installations of Linux Kernel. An attacker must first obtain the
ability to execute low-privileged code on the target system in order to
exploit this vulnerability.

The specific flaw exists within the handling of eBPF programs. The issue
results from the lack of proper validation of user-supplied eBPF programs
prior to executing them. An attacker can leverage this vulnerability to
escalate privileges and execute code in the context of the kernel.
BE AWARE, unprivileged bpf is disabled by default in most distros.

*Affected Version*

    Linux Kernel 5.8 or later

*Root Cause Analysis*

The bpf verifier(kernel/bpf/verifier.c) did not properly restrict several
*_OR_NULL pointer types which allows these types to do pointer arithmetic.
This can be leveraged to bypass the verifier check and escalate privilege.
(see
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/bpf/verifier.c?h=v5.10.83#n6022
)

*Exploit Code*

Exploit code will be delayed for 5 days and will be posted at 12:00 UTC,
Jan 18, 2022

*Mitigations*

set kernel.unprivileged_bpf_disabled to 1

BE AWARE AGAIN, unprivileged bpf is disabled by default in most distros.

*Credits*

tr3e of SecCoder Security Lab
Best,
tr3e

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Linux Kernel eBPF Improper Input Validation Vulnerability tr3e wang (Jan 13)

Re: Linux Kernel eBPF Improper Input Validation Vulnerability tr3e wang (Jan 14)

Re: Linux Kernel eBPF Improper Input Validation Vulnerability tr3e wang (Jan 18)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started